diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
index 97320631f..a8894170e 100644
--- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
+++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
@@ -18,6 +18,7 @@ name = "Suspicious WerFault Child Process"
 references = [
     "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
     "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx",
+    "https://blog.menasec.net/2021/01/",
 ]
 risk_score = 47
 rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff"