feat: rename rules for conventions

rules/windows/process_creation/proc_creation_win_renamed_binary.yml

@@ -43,5 +43,4 @@ detection:
     condition: selection and not filter
 falsepositives:
     - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
-    - PsExec installed via Windows Store doesn't contain original filename field (False negative)
 level: medium

rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml

@@ -72,4 +72,5 @@ detection:
     condition: selection and not filter
 falsepositives:
     - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
+    - PsExec installed via Windows Store doesn't contain original filename field (False negative)
 level: high

rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml

@@ -1,15 +1,15 @@
-title: Usage of Sysinternals Tools
+title: Potential Execution of Sysinternals Tools
 id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
 related:
     - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
       type: derived
 status: experimental
-description: Detects the usage of Sysinternals Tools due to accepteula option being seen in the command line.
+description: Detects commandline flags that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals Tools
 references:
     - https://twitter.com/Moti_B/status/1008587936735035392
 author: Markus Neis
 date: 2017/08/28
-modified: 2022/08/02
+modified: 2023/02/24
 tags:
     - attack.resource_development
     - attack.t1588.002
@@ -24,5 +24,5 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate use of SysInternals tools
-    - Programs that use the same Registry Key
+    - Programs that use the same commandline
 level: low

rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml

@@ -1,11 +1,12 @@
-title: Use of Sysinternals PsService
+title: Sysinternals PsService Execution
 id: 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f
 status: experimental
-description: Detects usage of Sysinternals PsService for service reconnaissance or tamper
+description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
 references:
     - https://docs.microsoft.com/en-us/sysinternals/downloads/psservice
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/06/16
+modified: 2023/02/24
 tags:
     - attack.discovery
     - attack.persistence