new: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze (#67)

* new: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze

* change order

---------

Co-authored-by: phantinuss <[email protected]>

Author: swachchhanda000

sysmonconfig-export-block.xml

@@ -481,6 +481,11 @@
 				<CallTrace condition="contains">:\Windows\Microsoft.NET\Framework64\v2.</CallTrace>
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 			</Rule>
+            <!--Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze Ref: https://github.com/SigmaHQ/sigma/pull/5777/files#diff-070db4b0869c437f4aa265e9e01a3c48f5d1d9757be2aa6aec35b852a587bb73-->
+            <Rule groupRelation="and">
+                <SourceImage condition="end with">\WerFaultSecure.exe</SourceImage>
+                <TargetImage condition="end with">\MsMpEng.exe</TargetImage>
+            </Rule>
 		</ProcessAccess>
 	</RuleGroup>
 

sysmonconfig-export.xml

@@ -524,6 +524,11 @@
 				<CallTrace condition="contains">:\Windows\Microsoft.NET\Framework64\v2.</CallTrace>
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 			</Rule>
+            <!--Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze Ref: https://github.com/SigmaHQ/sigma/pull/5777/files#diff-070db4b0869c437f4aa265e9e01a3c48f5d1d9757be2aa6aec35b852a587bb73-->
+            <Rule groupRelation="and">
+                <SourceImage condition="end with">\WerFaultSecure.exe</SourceImage>
+                <TargetImage condition="end with">\MsMpEng.exe</TargetImage>
+            </Rule>
 		</ProcessAccess>
 	</RuleGroup>