fix: FP with proc creation Image non .exe suffix

rules/windows/process_creation/process_creation_susp_non_exe_image.yml

@@ -4,6 +4,7 @@ status: experimental
 description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)
 author: Max Altgelt
 date: 2021/12/09
+modified: 2021/12/13
 references:
     - https://pentestlaboratories.com/2021/12/08/process-ghosting/
 tags:
@@ -16,6 +17,7 @@ detection:
         Image|endswith: '.exe'
     filter:
         Image: null
+        Image|startswith: 'C:\Windows\Installer\MSI'
     condition: not image_exe and not filter
 falsepositives:
     - unknown