fix: FPs noticed with Aurora

rules/windows/network_connection/sysmon_rundll32_net_connections.yml

@@ -6,7 +6,7 @@ author: Florian Roth
 references:
   - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
 date: 2017/11/04
-modified: 2021/11/27
+modified: 2021/12/16
 logsource:
   category: network_connection
   product: windows
@@ -15,7 +15,7 @@ detection:
     Image|endswith: '\rundll32.exe'
     Initiated: 'true'
   filter:
-    DestinationIp|startswith:
+    - DestinationIp|startswith:
       - '10.'
       - '192.168.'
       - '172.16.'
@@ -35,6 +35,8 @@ detection:
       - '172.30.'
       - '172.31.'
       - '127.'
+    - CommandLine|contains:
+      - 'PcaSvc.dll,PcaPatchSdbTask'
   condition: selection and not filter
 falsepositives:
   - Communication to other corporate systems that use IP addresses from public address spaces

rules/windows/registry_event/sysmon_registry_persistence_search_order.yml

@@ -7,7 +7,7 @@ references:
     - https://attack.mitre.org/techniques/T1546/015/
 author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
 date: 2020/04/14
-modified: 2021/12/03
+modified: 2021/12/16
 tags:
     - attack.persistence
     - attack.t1546.015
@@ -44,6 +44,10 @@ detection:
         Image:
             - C:\WINDOWS\system32\wuauclt.exe
             - C:\WINDOWS\system32\svchost.exe
+    filter_defender:
+        Image|contains|all:
+            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
+            - '\MsMpEng.exe'
     condition: selection and not 1 of filter*
 falsepositives:
     - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level