fix: more false positives

rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml

@@ -13,7 +13,7 @@ tags:
     - car.2019-04-004
 author: Sherif Eldeeb
 date: 2017/10/18
-modified: 2021/06/21
+modified: 2021/11/17
 logsource:
     product: windows
     category: process_access
@@ -23,7 +23,10 @@ detection:
         GrantedAccess:
             - '0x1410'
             - '0x1010'
-    condition: selection
+    filter:
+        SourceImage|startswith: 'C:\Program Files\WindowsApps\'
+        SourceImage|endswith: '\GamingServices.exe'
+    condition: selection and not filter
 fields:
     - ComputerName
     - User

rules/windows/image_load/sysmon_wsman_provider_image_load.yml

@@ -3,6 +3,7 @@ id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
 description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
 status: experimental
 date: 2020/06/24
+modified: 2021/11/17
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.execution
@@ -32,6 +33,8 @@ detection:
     respond_server:
         Image|endswith: '\svchost.exe'
         OriginalFileName: 'WsmWmiPl.dll'
+    filter:
+        CommandLine|endswith: '\svchost.exe -k netsvcs -p -s BITS'
     condition: (request_client and not filter_ps) or respond_server
 falsepositives:
     - Unknown