Update credential_access_suspicious_lsass_access_generic.toml (#4188)

Author: Samirbous

rules/windows/credential_access_suspicious_lsass_access_generic.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/01/22"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/21"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -51,14 +51,25 @@ process where host.os.type == "windows" and event.code == "10" and
         "?:\\Windows\\LTSvc\\LTSVC.exe",
         "?:\\Windows\\Sysmon.exe",
         "?:\\Windows\\Sysmon64.exe",
+        "C:\\Windows\\CynetMS.exe",
         "?:\\Windows\\system32\\csrss.exe",
         "?:\\Windows\\System32\\lsm.exe",
         "?:\\Windows\\system32\\MRT.exe",
         "?:\\Windows\\System32\\msiexec.exe",
         "?:\\Windows\\system32\\wbem\\wmiprvse.exe",
         "?:\\Windows\\system32\\wininit.exe",
         "?:\\Windows\\SystemTemp\\GUM*.tmp\\GoogleUpdate.exe",
-        "?:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe"
+        "?:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe", 
+        "C:\\oracle\\64\\02\\instantclient_19_13\\sqlplus.exe", 
+        "C:\\oracle\\64\\02\\instantclient_19_13\\sqlldr.exe",
+        "d:\\oracle\\product\\19\\dbhome1\\bin\\ORACLE.EXE",
+        "C:\\wamp\\bin\\apache\\apache*\\bin\\httpd.exe",
+        "C:\\Windows\\system32\\netstat.exe", 
+        "C:\\PROGRA~1\\INFORM~1\\apps\\jdk\\*\\jre\\bin\\java.exe", 
+        "C:\\PROGRA~2\\CyberCNSAgentV2\\osqueryi.exe",
+        "C:\\Utilityw2k19\\packetbeat\\packetbeat.exe",
+        "C:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\Temp\\CloudUpdate\\vpndownloader.exe", 
+        "C:\\ProgramData\\Cisco\\Cisco Secure Client\\Temp\\CloudUpdate\\vpndownloader.exe"
   ) and
   not winlog.event_data.CallTrace : ("*mpengine.dll*", "*appresolver.dll*", "*sysmain.dll*")
 '''