diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml
index 8e23f86f3..7ea757e5a 100644
--- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml
+++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml
@@ -4,7 +4,7 @@ description: This method detects mimikatz keywords in different Eventlogs (some
 status: experimental
 author: Florian Roth
 date: 2017/01/10
-modified: 2021/08/26
+modified: 2021/12/01
 tags:
     - attack.s0002
     - attack.t1003          # an old one
@@ -33,7 +33,9 @@ detection:
         - ' s::l '
         - 'gentilkiwi.com'
         - 'Kiwi Legit Printer'
-    condition: keywords
+    filter:
+        EventID: 15  # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system)
+    condition: keywords and not filter
 falsepositives:
     - Naughty administrators
     - Penetration test
diff --git a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml
index 47b70d211..462ef78b8 100644
--- a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml
+++ b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/afwu/PrintNightmare
     - https://github.com/cube0x0/CVE-2021-1675
 date: 2021/06/29
-modified: 2021/07/01
+modified: 2021/12/01
 tags:
     - attack.execution
     - attack.privilege_escalation
@@ -22,8 +22,7 @@ logsource:
 detection:
     selection:
         TargetFilename|contains: 
-        - 'C:\Windows\System32\spool\drivers\x64\3\old\1\123'
-        - 'C:\Windows\System32\spool\drivers\x64\3\New\'
+            - 'C:\Windows\System32\spool\drivers\x64\3\old\1\123'
     condition: selection
 fields:
     - ComputerName
diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
index 3b17a5ef0..c105bc675 100755
--- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
+++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
@@ -65,7 +65,9 @@ detection:
         GrantedAccess: '0x100000'
     filter7:
         SourceImage: 'C:\WINDOWS\system32\wbem\wmiprvse.exe'
-        GrantedAccess: '0x1410'
+        GrantedAccess: 
+            - '0x1410'
+            - '0x410'
     filter_generic:
         SourceImage|startswith: 
             - 'C:\Program Files\'
@@ -84,7 +86,7 @@ detection:
         #     - '\csrss.exe'
         #     - '\wininit.exe'
         #     - '\vmtoolsd.exe'
-    condition: selection and not filter1 and not filter2 and not filter3 and not filter4 and not filter5 and not filter6 and not filter7 and not filter_generic
+    condition: selection and not 1 of filter*
 fields:
     - ComputerName
     - User
diff --git a/rules/windows/process_access/win_susp_proc_access_lsass.yml b/rules/windows/process_access/win_susp_proc_access_lsass.yml
index 687ff3fea..a6cbf5ca6 100644
--- a/rules/windows/process_access/win_susp_proc_access_lsass.yml
+++ b/rules/windows/process_access/win_susp_proc_access_lsass.yml
@@ -75,7 +75,9 @@ detection:
         SourceImage|endswith: 
             - '\PROCEXP64.EXE'
             - '\PROCEXP.EXE'
-        GrantedAccess: '0x1410'
+        GrantedAccess: 
+            - '0x1410'
+            - '0x410'
     # VMware Tools
     filter5:
         SourceImage|startswith: 'C:\ProgramData\VMware\VMware Tools\'
@@ -97,10 +99,11 @@ detection:
         SourceImage|startswith: 
             - 'C:\Program Files\'
             - 'C:\Program Files (x86)\'
+            - 'C:\WINDOWS\system32\'
         GrantedAccess: 
             - '0x1410'
             - '0x410'
-    condition: selection and not filter1 and not filter2 and not filter3 and not filter4 and not filter5 and not filter6 and not filter7 and not filter_generic
+    condition: selection and not 1 of filter*
 fields:
     - User
     - SourceImage