fix: FPs found in testing env (#3743)

rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml

@@ -6,7 +6,7 @@ references:
     - https://twitter.com/mrd0x/status/1481630810495139841?s=12
 author: Tim Shelton, Florian Roth, Yassine Oukessou (fix + fp)
 date: 2022/01/13
-modified: 2022/07/27
+modified: 2022/12/02
 logsource:
     category: process_creation
     product: windows
@@ -32,6 +32,9 @@ detection:
         ParentCommandLine|contains: ' C:\Program Files\SplunkUniversalForwarder\'
     filter_localserver_fp:
         CommandLine|contains: ' -localserver '
+    filter_mcafee:
+        - ParentCommandLine|startswith: 'C:\Windows\system32\rundll32.exe" "C:\Program Files\McAfee\MSC\mcmscins.dll",DllUninstallFunction '
+        - CommandLine|startswith: 'C:\Windows\system32\rundll32.exe" /uninstall /longpath "C:\Program Files\McAfee\MSC\mscrem.inf'
     condition: selection and not 1 of filter*
 fields:
     - Image

rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml

@@ -6,7 +6,7 @@ references:
     - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
 author: Tim Rauch
 date: 2022/09/28
-modified: 2022/11/29
+modified: 2022/12/02
 tags:
     - attack.execution
     - attack.t1059
@@ -36,7 +36,9 @@ detection:
         ParentCommandLine|contains:
             - '-k apphost -s AppHostSvc'
             - '-k imgsvc'
+            - '-k localService -p -s RemoteRegistry'
             - '-k LocalSystemNetworkRestricted -p -s NgcSvc'
+            - '-k NetSvcs -p -s NcaSvc'
             - '-k netsvcs -p -s NetSetupSvc'
             - '-k netsvcs -p -s wlidsvc'
             - '-k NetworkService -p -s DoSvc'