diff --git a/README.md b/README.md
index 3e480bf77..6355f8c45 100644
--- a/README.md
+++ b/README.md
@@ -89,7 +89,7 @@ Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single So
 * Creation of a reasonable set of sample rules
 * Release of the first rule converters for Elastic Search and Splunk
 * Integration of feedback into the rule specifications
-* Collecting rule input from fellow researchers and analysts
+* Integration into Threat Intel Exchanges, e.g. MISP
 * Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms
 
 # Credits
diff --git a/rules/web/web_webshell_keyword.yml b/rules/web/web_webshell_keyword.yml
index f2cf40427..c0e6f7103 100644
--- a/rules/web/web_webshell_keyword.yml
+++ b/rules/web/web_webshell_keyword.yml
@@ -8,7 +8,7 @@ detection:
         - '=whoami'
         - '=net%20user'
         - '=cmd%20/c%20'
-    condition: selection and keywords
+    condition: keywords
 falsepositives:
     - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
     - User searches in search boxes of the respective website
diff --git a/rules/windows/builtin/win_susp_add_sid_history.yml b/rules/windows/builtin/win_susp_add_sid_history.yml
new file mode 100644
index 000000000..8837b72b2
--- /dev/null
+++ b/rules/windows/builtin/win_susp_add_sid_history.yml
@@ -0,0 +1,17 @@
+title: Addition of SID History to Active Directory Object
+status: stable
+description: An attacker can use the SID history attribute to gain additional privileges.
+reference: https://adsecurity.org/?p=1772
+author: Thomas Patzke
+logsource:
+    product: windows
+detection:
+    selection:
+        EventLog: Security
+        EventID:
+            - 4765
+            - 4766
+    condition: selection
+falsepositives:
+    - Migration of an account into a new domain
+level: medium
diff --git a/rules/windows/builtin/win_susp_dsrm_password_change.yml b/rules/windows/builtin/win_susp_dsrm_password_change.yml
new file mode 100644
index 000000000..0c8cacfc1
--- /dev/null
+++ b/rules/windows/builtin/win_susp_dsrm_password_change.yml
@@ -0,0 +1,15 @@
+title: Password Change on Directory Service Restore Mode (DSRM) Account
+status: stable
+description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
+reference: https://adsecurity.org/?p=1714
+author: Thomas Patzke
+logsource:
+    product: windows
+detection:
+    selection:
+        EventLog: Security
+        EventID: 4794
+    condition: selection
+falsepositives:
+    - Initial installation of a domain controller
+level: high