Update defense_evasion_execution_windefend_unusual_path.toml (#1492)

* Update defense_evasion_execution_windefend_unusual_path.toml

Add Microsoft Security Client to exclusions.

* Update defense_evasion_execution_windefend_unusual_path.toml

Update updated_date

* Updated author

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

rules/windows/defense_evasion_execution_windefend_unusual_path.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/07/07"
 maturity = "production"
-updated_date = "2021/07/07"
+updated_date = "2021/09/22"
 
 [rule]
-author = ["Elastic"]
+author = ["Elastic", "Dennis Perto"]
 description = """
 Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking
 starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade
@@ -32,7 +32,9 @@ process where event.type == "start" and
   (process.name : "MsMpEng.exe" and not
         process.executable : ("?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe",
                               "?:\\Program Files\\Windows Defender\\*.exe",
-                              "?:\\Program Files (x86)\\Windows Defender\\*.exe"))
+                              "?:\\Program Files (x86)\\Windows Defender\\*.exe",
+                              "?:\\Program Files\\Microsoft Security Client\\*.exe",
+                              "?:\\Program Files (x86)\\Microsoft Security Client\\*.exe"))
 '''