fix: more false positives

rules/windows/process_access/sysmon_cred_dump_lsass_access.yml

@@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential
 author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov,
     oscd.community (update)
 date: 2017/02/16
-modified: 2021/11/16
+modified: 2021/11/20
 references:
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
     - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
@@ -56,6 +56,8 @@ detection:
             - '\MicrosoftEdgeUpdate.exe'
             - '\GamingServices.exe'
             - 'C:\Windows\System32\svchost.exe'
+            - '\aurora-agent.exe'
+            - '\aurora-agent-64.exe'
     condition: selection and not filter1 and not filter2
 fields:
     - ComputerName

rules/windows/process_access/sysmon_in_memory_assembly_execution.yml

@@ -45,6 +45,8 @@ detection:
             - '\procexp64.exe'
             - '\procexp.exe'
             - '\Microsoft VS Code\Code.exe'
+            - '\aurora-agent-64.exe'
+            - '\aurora-agent.exe'
     condition: selection1 or selection2 or selection3 and not filter
 fields:
     - ComputerName