diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml
index b287f94a9..a6a147ee0 100644
--- a/rules/windows/process_creation/win_webshell_spawn.yml
+++ b/rules/windows/process_creation/win_webshell_spawn.yml
@@ -4,6 +4,7 @@ status: experimental
 description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
 author: Thomas Patzke
 date: 2019/01/16
+modified: 2020/03/03
 logsource:
     category: process_creation
     product: windows
@@ -14,6 +15,7 @@ detection:
             - '*\httpd.exe'
             - '*\nginx.exe'
             - '*\php-cgi.exe'
+            - '*\tomcat.exe'
         Image:
             - '*\cmd.exe'
             - '*\sh.exe'