Some fixes for rules

rules/windows/image_load/sysmon_uac_bypass_via_dism.yml

@@ -17,10 +17,13 @@ logsource:
     product: windows     
 detection:
     selection:
-        Image:
+        Image|endswith:
             - '\dism.exe'
-        ImageLoaded:
+        ImageLoaded|endswith:
             - '\dismcore.dll'
+    filter:
+        ImageLoaded:
+            - 'C:\Windows\System32\Dism\dismcore.dll'
     condition: selection
 falsepositives:
     - Pentests

rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml

@@ -16,7 +16,7 @@ logsource:
     product: windows        
 detection:
     selection:
-        CallTrace: '*editionupgrademanagerobj.dll*'
+        CallTrace|contains: '*editionupgrademanagerobj.dll*'
     condition: selection
 fields:
     - ComputerName

rules/windows/registry_event/sysmon_bypass_via_wsreset.yml

@@ -5,7 +5,6 @@ description: Unfixed method for UAC bypass from windows 10. WSReset.exe file ass
 references:
     - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly
     - https://lolbas-project.github.io/lolbas/Binaries/Wsreset
-    
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation