Merge PR #4490 From @phantinuss - Fix FP Found In Testing

fix: Suspicious Sysmon as Execution Parent - add WERFaultSecure.exe as exception
fix: System File Execution Location Anomaly - add pwsh 7 preview path as exception

rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml

@@ -8,7 +8,7 @@ references:
     - https://twitter.com/filip_dragovic/status/1590104354727436290
 author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault)
 date: 2022/11/10
-modified: 2023/09/13
+modified: 2023/10/18
 tags:
     - attack.privilege_escalation
     - attack.t1068
@@ -30,6 +30,7 @@ detection:
               - 'wevtutil.exe'
               - 'C:\WINDOWS\system32\wevtutil.exe'
               - 'C:\Windows\System32\WerFault.exe' # When Sysmon crashes
+              - 'C:\Windows\System32\WerFaultSecure.ex' # When Sysmon crashes
         - Image|endswith: '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version.
     filter_main_null:
         Image: null

rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml

@@ -7,7 +7,7 @@ references:
     - https://asec.ahnlab.com/en/39828/
 author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali
 date: 2017/11/27
-modified: 2023/01/10
+modified: 2023/10/18
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -78,6 +78,7 @@ detection:
         - Image:
               - 'C:\Windows\explorer.exe'
               - 'C:\Program Files\PowerShell\7\pwsh.exe'
+              - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
     filter_wsl_windowsapps:
         Image|startswith: 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
         Image|endswith: '\wsl.exe'