Merge pull request #3754 from SigmaHQ/aurora-false-positive-fixing

fix: FPs

rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml

@@ -9,7 +9,7 @@ references:
     - https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
 author: Florian Roth
 date: 2019/10/22
-modified: 2022/11/13
+modified: 2022/12/04
 tags:
     - attack.defense_evasion
     - attack.t1218.011
@@ -31,6 +31,7 @@ detection:
     filter_vsbuild_dll:
         ParentImage|contains:
             - '\Msbuild\Current\Bin\'
+            - '\VC\Tools\MSVC\'
             - '\Tracker.exe'
         CommandLine|contains:
             - '\FileTracker32.dll,#1'

rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml

@@ -8,6 +8,7 @@ references:
     - https://twitter.com/filip_dragovic/status/1590104354727436290
 author: Florian Roth
 date: 2022/11/10
+modified: 2022/12/04
 tag:
     - attack.privilege_escalation
     - attack.t1068
@@ -24,6 +25,8 @@ detection:
         Image:
             - 'C:\Windows\Sysmon64.exe'
             - 'C:\Windows\System32\conhost.exe'
+            - 'wevtutil.exe'
+            - 'C:\WINDOWS\system32\wevtutil.exe'
     condition: selection and not filter
 falsepositives:
     - Unknown