Renamed Office Binary Execution: Add excelcnv.exe to filter

[rkmbaxed]

Rule UUID

0b0cd537-fc77-4e6e-a973-e53495c1083d

Example EventLog

Image: C:\Program Files\Microsoft Office Web Apps\ExcelServicesEcs\bin\excelcnv.exe FileVersion: 16.0.10400.20000 Description: Microsoft Excel Product: Microsoft Office Company: Microsoft Corporation OriginalFileName: Excel.exe CommandLine: "C:\Program Files\Microsoft Office Web Apps\ExcelServicesEcs\bin\excelcnv.exe" .....

Description

Add excelcnv.exe to filter, its a common Micrososft Office executable file.

https://support.microsoft.com/en-au/topic/july-27-2023-update-for-excel-2016-kb5002454-c4f849d4-d67f-41d9-8a98-6ab4e4c0ad48

filter:
        Image|endswith:
            - '\EXCEL.exe'
            - '\MSACCESS.exe'
            - '\ONENOTE.EXE'
            - '\POWERPNT.EXE'
            - '\WINWORD.exe'
            - '\EXCELCNV.exe'

[github-actions[bot]]

Welcome @rkmbaxed :wave:

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:

[nasbench]

Hey @rkmbaxed thanks for opening this issue. I added the filter (and took the chance to add a couple more binaries). It should be fixed in #4564