diff --git a/Windows_Sysmon/MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml b/Windows_Sysmon/MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml
index bce9873..0777d70 100644
--- a/Windows_Sysmon/MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml
+++ b/Windows_Sysmon/MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml
@@ -1028,18 +1028,13 @@
sysmon_event1,windows_sysmon_event1,sysmon_anomaly
-
-
- 100160
- winword.exe$|excel.exe$|powerpnt.exe$
- Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.
+
+ 100105
+ winword\.exe$|excel\.exe$|powerpnt\.exe$|outlook\.exe$|msaccess\.exe$|lync\.exe$|mspub\.exe$|onenote\.exe$
+ Possible Follina (CVE-2022-30190) exploitation attempt detected. New process created by a Microsoft Office application.
- T1204
- T1047
- T1218
+ T1203
- no_full_log
- sysmon_event1,windows_sysmon_event1,sysmon_anomaly
@@ -1170,6 +1165,16 @@
no_full_log
sysmon_event1,windows_sysmon_event1,
+
+
+ 100506
+ ^msdt\.exe$
+ ms-msdt:(/|-)id.*(PCWDiagnostic|IT_RebrowseForFile|IT_LaunchMethod|SelectProgram)
+ Follina (CVE-2022-30190) exploitation attempt detected. MSDT executed with known Follina exploitation pattern.
+
+ T1203
+
+