From 17032194d8ea06591c10a99d331be88bc3c0def3 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Wed, 10 Feb 2021 13:17:57 -0600
Subject: [PATCH] [Rule Tuning] Suspicious WerFault Child Process (#915)

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

Added Article "How to Design Abnormal Child Processes Rules without Telemetry"

* bump updated_date

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
---
 ...fense_evasion_masquerading_suspicious_werfault_childproc.toml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
index 97320631f..a8894170e 100644
--- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
+++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
@@ -18,6 +18,7 @@ name = "Suspicious WerFault Child Process"
 references = [
     "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
     "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx",
+    "https://blog.menasec.net/2021/01/",
 ]
 risk_score = 47
 rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff"