Merge pull request #2467 from SigmaHQ/aurora-false-positive-fixing

fix: exclude *.scr screensavers

rules/windows/process_creation/process_creation_susp_non_exe_image.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)
 author: Max Altgelt
 date: 2021/12/09
-modified: 2021/12/17
+modified: 2021/12/18
 references:
     - https://pentestlaboratories.com/2021/12/08/process-ghosting/
 tags:
@@ -24,6 +24,8 @@ detection:
     filter_avira:
         Image|startswith: 'C:\Windows\Temp\'
         Image|endswith: '\avira_speedup_setup_update.tmp'
+    filter_screensaver:
+        Image|endswith: '.scr'
     condition: not image_exe and not 1 of filter*
 falsepositives:
     - unknown