Merge PR #5925 from @Neo23x0 - Add filter for nsswitch and double extension in icons folder

fix: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation - Add additional path for nsswitch `/usr/share/factory/etc/nsswitch.conf`
fix: Suspicious Double Extension Files - Add a new filter `/usr/share/icons/`

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Thanks: @marius-benthin

rules-emerging-threats/2025/Exploits/CVE-2025-32463/file_event_lnx_exploit_cve_2025_32463.yml

@@ -10,6 +10,7 @@ references:
     - https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh
 author: Swachchhanda Shrawn Poudel (Nextron Systems)
 date: 2025-10-02
+modified: 2026-03-31
 tags:
     - attack.privilege-escalation
     - attack.t1068
@@ -22,7 +23,9 @@ detection:
     selection:
         TargetFilename|endswith: '/etc/nsswitch.conf'
     filter_main_legitimate_path:
-        TargetFilename: '/etc/nsswitch.conf'
+        TargetFilename:
+            - '/etc/nsswitch.conf'
+            - '/usr/share/factory/etc/nsswitch.conf'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Backup locations

rules/windows/file/file_event/file_event_win_susp_double_extension.yml

@@ -17,7 +17,7 @@ references:
     - https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
 author: Nasreddine Bencherchali (Nextron Systems), frack113
 date: 2022-06-19
-modified: 2025-07-22
+modified: 2026-03-31
 tags:
     - attack.defense-evasion
     - attack.t1036.007
@@ -59,7 +59,9 @@ detection:
     #     TargetFilename|contains:
     #         - '\AppData\Roaming\Microsoft\Office\Recent\'
     #         - '\AppData\Roaming\Microsoft\Windows\Recent\'
-    condition: 1 of selection_*
+    filter_icons_linux:
+        TargetFilename|startswith: '/usr/share/icons/'
+    condition: 1 of selection_* and not 1 of filter_*
 falsepositives:
     - Unlikely
 level: high