From 985bc78d0db3607846ecd841c097efe56e4e6786 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 6 Jan 2022 17:58:44 +0100
Subject: [PATCH] rule: extend parent processes

---
 rules/windows/process_creation/win_webshell_spawn.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml
index 0a10f4993..762ee4c21 100644
--- a/rules/windows/process_creation/win_webshell_spawn.yml
+++ b/rules/windows/process_creation/win_webshell_spawn.yml
@@ -4,7 +4,7 @@ status: test
 description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
 author: Thomas Patzke
 date: 2019/01/16
-modified: 2021/11/27
+modified: 2022/01/06
 logsource:
   category: process_creation
   product: windows
@@ -16,7 +16,8 @@ detection:
       - '\nginx.exe'
       - '\php-cgi.exe'
       - '\tomcat.exe'
-      - '\UMWorkerProcess.exe'        # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
+      - '\UMWorkerProcess.exe'  # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
+      - '\ws_TomcatService.exe'  # https://digital.nhs.uk/cyber-alerts/2022/cc-4002
     Image|endswith:
       - '\cmd.exe'
       - '\sh.exe'