diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml
index 39c9ae4cf..12f3a7989 100644
--- a/rules/windows/process_creation/win_susp_svchost.yml
+++ b/rules/windows/process_creation/win_susp_svchost.yml
@@ -8,7 +8,7 @@ tags:
     - attack.t1036      # an old one
 author: Florian Roth
 date: 2017/08/15
-modified: 2020/08/28
+modified: 2021/11/26
 logsource:
     category: process_creation
     product: windows
@@ -22,6 +22,7 @@ detection:
             - '\Mrt.exe'
             - '\rpcnet.exe'
             - '\svchost.exe'
+            - '\ngen.exe'
     filter_null:
         ParentImage: null
     condition: selection and not filter and not filter_null