From 7175a1737aa01d7f60c8b42f47b2515af0f9df9c Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Wed, 10 Dec 2025 09:08:56 +0545
Subject: [PATCH 1/2] new: Suspicious Process Access of MsMpEng by
 WerFaultSecure - EDR-Freeze

---
 sysmonconfig-export-block.xml | 5 +++++
 sysmonconfig-export.xml       | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/sysmonconfig-export-block.xml b/sysmonconfig-export-block.xml
index 16fd5656..31cfa9a2 100644
--- a/sysmonconfig-export-block.xml
+++ b/sysmonconfig-export-block.xml
@@ -481,6 +481,11 @@
 				<CallTrace condition="contains">:\Windows\Microsoft.NET\Framework64\v2.</CallTrace>
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 			</Rule>
+            <!--Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze Ref: https://github.com/SigmaHQ/sigma/pull/5777/files#diff-070db4b0869c437f4aa265e9e01a3c48f5d1d9757be2aa6aec35b852a587bb73-->
+            <Rule groupRelation="and">
+                <TargetImage condition="end with">\MsMpEng.exe</TargetImage>
+                <SourceImage condition="end with">\WerFaultSecure.exe</SourceImage>
+            </Rule>
 		</ProcessAccess>
 	</RuleGroup>
 
diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 6223d95c..0dee18fa 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -524,6 +524,11 @@
 				<CallTrace condition="contains">:\Windows\Microsoft.NET\Framework64\v2.</CallTrace>
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 			</Rule>
+            <!--Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze Ref: https://github.com/SigmaHQ/sigma/pull/5777/files#diff-070db4b0869c437f4aa265e9e01a3c48f5d1d9757be2aa6aec35b852a587bb73-->
+            <Rule groupRelation="and">
+                <TargetImage condition="end with">\MsMpEng.exe</TargetImage>
+                <SourceImage condition="end with">\WerFaultSecure.exe</SourceImage>
+            </Rule>
 		</ProcessAccess>
 	</RuleGroup>
 

From 3df830e001f2c555399211bbfd959a6d832cc75e Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Wed, 10 Dec 2025 08:51:52 +0100
Subject: [PATCH 2/2] change order

---
 sysmonconfig-export-block.xml | 2 +-
 sysmonconfig-export.xml       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export-block.xml b/sysmonconfig-export-block.xml
index 31cfa9a2..6e597db7 100644
--- a/sysmonconfig-export-block.xml
+++ b/sysmonconfig-export-block.xml
@@ -483,8 +483,8 @@
 			</Rule>
             <!--Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze Ref: https://github.com/SigmaHQ/sigma/pull/5777/files#diff-070db4b0869c437f4aa265e9e01a3c48f5d1d9757be2aa6aec35b852a587bb73-->
             <Rule groupRelation="and">
-                <TargetImage condition="end with">\MsMpEng.exe</TargetImage>
                 <SourceImage condition="end with">\WerFaultSecure.exe</SourceImage>
+                <TargetImage condition="end with">\MsMpEng.exe</TargetImage>
             </Rule>
 		</ProcessAccess>
 	</RuleGroup>
diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 0dee18fa..043b9bad 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -526,8 +526,8 @@
 			</Rule>
             <!--Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze Ref: https://github.com/SigmaHQ/sigma/pull/5777/files#diff-070db4b0869c437f4aa265e9e01a3c48f5d1d9757be2aa6aec35b852a587bb73-->
             <Rule groupRelation="and">
-                <TargetImage condition="end with">\MsMpEng.exe</TargetImage>
                 <SourceImage condition="end with">\WerFaultSecure.exe</SourceImage>
+                <TargetImage condition="end with">\MsMpEng.exe</TargetImage>
             </Rule>
 		</ProcessAccess>
 	</RuleGroup>