diff --git a/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml b/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml
index 8ec001834..17dc63004 100644
--- a/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml
+++ b/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml
@@ -23,10 +23,6 @@ detection:
         - OriginalFileName: 'Cmd.Exe'
         - Image|endswith: '\cmd.exe'
     selection_cli:
-        CommandLine|startswith:
-            - 'cmd '
-            - 'cmd.exe'
-            - 'c:\windows\system32\cmd.exe'
         CommandLine|contains:
             - 'Invoke-UserHunter'
             - 'Invoke-ShareFinder'
diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml
index cf89ddc70..fcf6ac816 100644
--- a/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml
+++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml
@@ -4,7 +4,7 @@ status: test
 description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
 author: Florian Roth
 date: 2019/08/24
-modified: 2022/03/07
+modified: 2023/01/31
 tags:
     - attack.defense_evasion
     - attack.t1140
diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_reflective_assembly_load.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflective_assembly_load.yml
index a25090f9d..6e97bfed4 100644
--- a/rules/windows/process_creation/proc_creation_win_powershell_base64_reflective_assembly_load.yml
+++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflective_assembly_load.yml
@@ -10,7 +10,7 @@ references:
     - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
 author: Christian Burkard, pH-T
 date: 2022/03/01
-modified: 2022/05/20
+modified: 2023/01/30
 tags:
     - attack.execution
     - attack.t1059.001
diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml
index c076c5ef0..9a863e6ce 100644
--- a/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml
+++ b/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml
@@ -1,7 +1,7 @@
-title: LSA PPL Protection Disabled Via Reg
+title: LSA PPL Protection Disabled Via Reg.EXE
 id: 8c0eca51-0f88-4db2-9183-fdfb10c703f9
 status: experimental
-description: Detects usage of the "reg.exe" utility to disable PPL protection on the LSA process
+description: Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process
 references:
     - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
 author: Florian Roth