fix: FP with new Aurora

rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Detects process access to LSASS memory with suspicious access flags and from a suspicious folder
 author: Florian Roth
 date: 2021/11/27
-modified: 2022/10/20
+modified: 2022/10/25
 references:
     - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
@@ -82,9 +82,12 @@ detection:
         SourceImage|endswith:
             - '\thor64.exe'
             - '\thor.exe'
+            - '\aurora-agent-64.exe'
+            - '\aurora-agent.exe'
         GrantedAccess:
             - '0x1fffff'
             - '0x1010'
+            - '0x101010'
     filter_ms_products:
         SourceImage|contains|all:
             - '\AppData\Local\Temp\'