From aeab567fb985affcc411261d7f296c1597739fbd Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Thu, 29 Dec 2022 21:18:26 +0000
Subject: [PATCH] FP when sysmon crashes and werfault gets launched

---
 .../proc_creation_win_sysmon_exploitation.yml                | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml b/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml
index 93c142377..ab9e5b67c 100644
--- a/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml
+++ b/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml
@@ -6,9 +6,9 @@ references:
     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120
     - https://twitter.com/filip_dragovic/status/1590052248260055041
     - https://twitter.com/filip_dragovic/status/1590104354727436290
-author: Florian Roth
+author: Florian Roth, Tim Shelton (fp werfault)
 date: 2022/11/10
-modified: 2022/12/15
+modified: 2022/12/29
 tag:
     - attack.privilege_escalation
     - attack.t1068
@@ -27,6 +27,7 @@ detection:
             - 'C:\Windows\System32\conhost.exe'
             - 'wevtutil.exe'
             - 'C:\WINDOWS\system32\wevtutil.exe'
+            - 'C:\Windows\System32\WerFault.exe' # When Sysmon crashes
         - Image|endswith: '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version.
     condition: selection and not filter
 falsepositives: