fix(rules): Correct usage of not operator on bool fields

Using the not operator on bool fields leads to misbehavior. Instead, use the equal operator and false keyword.

rules/credential_access_remote_thread_creation_into_lsass.yml

@@ -1,6 +1,6 @@
 name: Remote thread creation into LSASS
 id: e3ce8d6f-c260-48d6-9398-3c1c71726297
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies the creation of a remote thread in LSASS (Local Security And Authority Subsystem Service)
   by untrusted or suspicious processes. This may indicate attempts to execute code inside the LSASS process
@@ -19,6 +19,6 @@ labels:
 condition: >
   create_remote_thread and kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
     and
-  (ps.name iin script_interpreters or ps.name ~= 'rundll32.exe' or not (pe.is_signed and pe.is_trusted))
+  (ps.name iin script_interpreters or ps.name ~= 'rundll32.exe' or pe.is_signed = false or pe.is_trusted = false)
 
 min-engine-version: 2.0.0

rules/persistence_script_interpreter_or_untrusted_process_persistence.yml

@@ -1,6 +1,6 @@
 name: Script interpreter host or untrusted process persistence
 id: cc41ee3a-6e44-4903-85a4-0147ec6a7eea
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies the script interpreter or untrusted process writing
   to commonly abused run keys or the Startup folder locations.
@@ -23,7 +23,7 @@ condition: >
       or
     ps.parent.name in script_interpreters
       or
-    not pe.is_trusted
+    pe.is_trusted = false
   )
     and
   (

rules/persistence_suspicious_persistence_via_registry_modification.yml

@@ -24,7 +24,7 @@ condition: >
       or
      ps.exe imatches '?:\\Users\\Public\\*'
       or
-     not (pe.is_signed and pe.is_trusted)
+     pe.is_signed = false or pe.is_trusted = false
   )
     and
   registry.key.name imatches registry_persistence_keys