fix: FPs

iocs/filename-iocs.txt

@@ -3070,7 +3070,7 @@ ystem32\\uploadmgr\.dat;80
 \\\.oracleServices\\svshost_serv\.exe;100
 
 # NTDS.DIT in uncommon location https://blog.stealthbits.com/extracting-password-hashes-from-the-ntds-dit-file/
-[^s2S]\\ntds.dit;60
+[^s2S]\\ntds.dit;60;WinSxS
 
 # MAL HWP Incident Feb 19 https://sfkino.tistory.com/73
 \\Local\\Temp\\HimTray\.dll;75

yara/gen_url_persitence.yar

@@ -129,6 +129,7 @@ rule Methodology_Contains_Shortcut_OtherURIhandlers
     and filesize < 30KB
 }
 
+/*
 rule Methodology_Suspicious_Shortcut_IconShenanigans_dotDL
 {
   meta:
@@ -147,6 +148,7 @@ rule Methodology_Suspicious_Shortcut_IconShenanigans_dotDL
     and uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE
     and filesize < 30KB
 }
+*/
 
 rule Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO
 {