diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml b/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml
index debf1fcea..89b23fde0 100644
--- a/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml
+++ b/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml
@@ -6,7 +6,7 @@ references:
     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120
     - https://twitter.com/filip_dragovic/status/1590052248260055041
     - https://twitter.com/filip_dragovic/status/1590104354727436290
-author: Florian Roth
+author: Florian Roth, Tim Shelton (fp werfault)
 date: 2022/11/10
 modified: 2022/12/30
 tag:
@@ -28,6 +28,7 @@ detection:
             - 'C:\Windows\System32\conhost.exe'
             - 'wevtutil.exe'
             - 'C:\WINDOWS\system32\wevtutil.exe'
+            - 'C:\Windows\System32\WerFault.exe' # When Sysmon crashes
         - Image|endswith: '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version.
     condition: selection and not filter
 falsepositives: