fix(rules): Add CompatTelRunner.exe exclusion for Unusual process modified registry run key

Author: rabbitstack

rules/persistence_unusual_process_modified_registry_run_key.yml

@@ -1,6 +1,6 @@
 name: Unusual process modified registry run key
 id: 921508a5-b627-4c02-a295-6c6863c0897b
-version: 1.0.2
+version: 1.0.3
 description: |
   Identifies an attempt by unusual Windows native processes to modify
   the run key and gain persistence on users logons or machine reboots.
@@ -41,7 +41,8 @@ condition: >
       '?:\\Windows\\SysWOW64\\prevhost.exe',
       '?:\\Windows\\System32\\conhost.exe',
       '?:\\Windows\\System32\\taskhostw.exe',
-      '?:\\Windows\\System32\\backgroundTaskHost.exe'
+      '?:\\Windows\\System32\\backgroundTaskHost.exe',
+      '?:\\Windows\\System32\\CompatTelRunner.exe'
     )
 
 min-engine-version: 2.4.0