Merge pull request #2487 from SigmaHQ/aurora-false-positive-fixing

fix: FPs noticed with Aurora

rules/windows/process_creation/process_creation_susp_image_missing.yml

@@ -16,7 +16,9 @@ detection:
         Image|contains: '\'
     filter:
         Image: null
-    condition: not image_absolute_path and not filter
+    filter_4688:
+        Image: 'Registry'
+    condition: not image_absolute_path and not 1 of filter*
 falsepositives:
     - unknown
 level: high

rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml

@@ -3,7 +3,7 @@ id: db809f10-56ce-4420-8c86-d6a7d793c79c
 description: Raw disk access using illegitimate tools, possible defence evasion
 author: Teymur Kheirkhabarov, oscd.community
 date: 2019/10/22
-modified: 2021/12/18
+modified: 2021/12/22
 references:
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 tags:
@@ -36,6 +36,7 @@ detection:
             - '\lsass.exe'
             - '\svchost.exe'
             - '\MsMpEng.exe'
+            - '\SearchApp.exe'
             - 'C:\Windows\System32\taskhostw.exe'
             - 'C:\Windows\System32\SrTasks.exe'
             - 'C:\Windows\System32\dllhost.exe'
@@ -47,6 +48,9 @@ detection:
             - 'C:\Program Files\Bitdefender Antivirus Free\updatesrv.exe'
             - 'C:\Program Files\Bitdefender Antivirus Free\downloader.exe'
             - 'C:\Program Files\Bitdefender Antivirus Free\vsserv.exe'
+            - 'C:\Windows\System32\backgroundTaskHost.exe'
+            - 'C:\Windows\System32\RuntimeBroker.exe'
+            - 'C:\Windows\System32\MoUsoCoreWorker.exe'
     filter_Keybase:
         Image|endswith: '\Keybase\upd.exe'
     condition: not 1 of filter_*