rule: extend parent processes

rules/windows/process_creation/win_webshell_spawn.yml

@@ -4,7 +4,7 @@ status: test
 description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
 author: Thomas Patzke
 date: 2019/01/16
-modified: 2021/11/27
+modified: 2022/01/06
 logsource:
   category: process_creation
   product: windows
@@ -16,7 +16,8 @@ detection:
       - '\nginx.exe'
       - '\php-cgi.exe'
       - '\tomcat.exe'
-      - '\UMWorkerProcess.exe'        # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
+      - '\UMWorkerProcess.exe'  # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
+      - '\ws_TomcatService.exe'  # https://digital.nhs.uk/cyber-alerts/2022/cc-4002
     Image|endswith:
       - '\cmd.exe'
       - '\sh.exe'