From 35828985e098da79a44cd04579834f0caf6ee439 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 21 Mar 2022 12:59:14 +0100
Subject: [PATCH] refactor: rule extended

---
 .../windows/process_creation/proc_creation_win_susp_parents.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_parents.yml b/rules/windows/process_creation/proc_creation_win_susp_parents.yml
index 76594311d..bab96368d 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_parents.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_parents.yml
@@ -23,11 +23,13 @@ detection:
          - '\csrss.exe'
          - '\certutil.exe'
          - '\schtasks.exe'
+         - '\eventvwr.exe'
    filter_special:
       Image|endswith:
          - '\WerFault.exe'
          - '\wermgr.exe'
          - '\conhost.exe'  # csrss.exe, certutil.exe
+         - '\mmc.exe'      # eventvwr.exe
 condition: selection or ( selection_special and not filter_special )
 falsepositives:
    - Unknown