[Rule Tuning] Exclude Windows Error Reporting & Printer Driver (#929)

rules/windows/defense_evasion_code_injection_conhost.toml

@@ -23,7 +23,8 @@ type = "query"
 
 query = '''
 event.category:process and event.type:(start or process_started) and
-  process.parent.name:conhost.exe
+  process.parent.name:conhost.exe and 
+  not process.executable:("C:\Windows\splwow64.exe" or "C:\Windows\System32\WerFault.exe" or "C:\\Windows\System32\conhost.exe")
 '''
 
 
@@ -39,4 +40,3 @@ reference = "https://attack.mitre.org/techniques/T1055/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-