fix: FP in testing

rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml

@@ -6,6 +6,7 @@ references:
     - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
 author: Bhabesh Raj
 date: 2022/08/01
+modified: 2022/08/09
 tags:
     - attack.defense_evasion
     - attack.t1574.002
@@ -13,12 +14,13 @@ logsource:
     product: windows
     category: process_creation
 detection:
-    selection: 
+    selection:
         Image|endswith: '\MpCmdRun.exe'
     legit_path:
         Image|startswith: # MpCmdRun resides in two locations
           - 'C:\Program Files\Windows Defender\'
           - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
+          - 'C:\Windows\winsxs\x86_security-malware-windows-defender_'  # found on Win7 i386
     condition: selection and not legit_path
 falsepositives:
     - Unknown