fix(rules): Exclusion for OneDrive to tune false positives in Potential process hollowing rule

Author: rabbitstack

rules/defense_evasion_potential_process_hollowing_injection.yml

@@ -1,6 +1,6 @@
 name: Potential Process Hollowing
 id: 2a3fbae8-5e8c-4b71-b9da-56c3958c0d53
-version: 1.1.2
+version: 1.1.3
 description: |
   Adversaries may inject malicious code into suspended and hollowed processes in order to
   evade process-based defenses. Process hollowing is a method of executing arbitrary code
@@ -32,7 +32,8 @@ condition: >
     |spawn_process and ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and not ps.exe imatches 
       (
         '?:\\Program Files\\*.exe', 
-        '?:\\Program Files (x86)\\*.exe'
+        '?:\\Program Files (x86)\\*.exe',
+        '?:\\Users\\*\\AppData\\Local\\Programs\\Common\\OneDriveCloud\\taskhostw.exe'
       )
     | by ps.child.uuid
     |unmap_view_of_section and file.view.size > 20000 and file.view.protection != 'READONLY' and (length(file.name) = 0 or not ext(file.name) = '.dll')| by ps.uuid