diff --git a/rules/windows/file_event/file_event_win_outlook_newform.yml b/rules/windows/file_event/file_event_win_outlook_newform.yml
index 223a23d7a..ba01fea48 100644
--- a/rules/windows/file_event/file_event_win_outlook_newform.yml
+++ b/rules/windows/file_event/file_event_win_outlook_newform.yml
@@ -9,12 +9,13 @@ tags:
     - attack.t1137.003
 author: Tobias Michalski
 date: 2021/06/10
+modified: 2022/06/16
 logsource:
     product: windows
     category: file_event
 detection:
     selection:
-        Image: '\outlook.exe'
+        Image|endswith: '\outlook.exe'
         TargetFilename|contains: '\appdata\local\microsoft\FORMS\'
     condition: selection
 fields:
diff --git a/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml b/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml
index 3f7f2eaec..a5042a688 100644
--- a/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml
+++ b/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml
@@ -7,17 +7,17 @@ references:
     - https://twitter.com/vanitasnk/status/1437329511142420483?s=21
 author: Florian Roth, Sittikorn S
 date: 2021/09/10
-modified: 2021/09/13
+modified: 2022/06/16
 logsource:
     product: windows
     category: file_event
 detection:
     selection:
-        Image: '\winword.exe'
+        Image|endswith: '\winword.exe'
         TargetFilename|endswith: '.cab'
         TargetFilename|contains: '\Windows\INetCache'
     selection_inf:
-        Image: '\winword.exe'
+        Image|endswith: '\winword.exe'
         TargetFilename|contains|all:
         - '\AppData\Local\Temp\'
         - '.inf'
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml b/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml
new file mode 100644
index 000000000..5d2c06bbd
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml
@@ -0,0 +1,24 @@
+title: Use of OpenConsole
+id: 814c95cc-8192-4378-a70a-f1aafd877af1
+description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting
+status: experimental
+references:
+    - https://twitter.com/nas_bench/status/1537563834478645252
+author: Nasreddine Bencherchali
+date: 2022/06/16
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - OriginalFileName: 'OpenConsole.exe'
+        - Image|endswith: '\OpenConsole.exe'
+    filter:
+        Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.WindowsTerminal' # We exclude the default path for WindowsTerminal
+    condition: selection and not filter
+falsepositives:
+    - Legitimate use by an administrator
+level: medium
+tags:
+    - attack.execution
+    - attack.t1059
diff --git a/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml b/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml
index 6bb2e96c7..20230c4d5 100644
--- a/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml
+++ b/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml
@@ -13,7 +13,7 @@ tags:
     - attack.defense_evasion
 status: experimental
 date: 2021/08/23
-modified: 2022/06/02
+modified: 2022/06/16
 logsource:
   product: windows
   category: process_creation
@@ -23,7 +23,7 @@ detection:
     - Image|endswith: '\wbem\WMIC.exe'
     - CommandLine|contains: 'wmic '
   selection2:
-    ParentImage:
+    ParentImage|endswith:
       - '\winword.exe'
       - '\excel.exe'
       - '\powerpnt.exe'
diff --git a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml
index c9c183005..55593a9be 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml
@@ -8,7 +8,7 @@ references:
     - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList
 author: Nasreddine Bencherchali @nas_bench
 date: 2021/12/18
-modified: 2022/05/13
+modified: 2022/06/16
 tags:
     - attack.discovery
     - attack.t1087
@@ -18,25 +18,23 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection1:
-        OriginalFileName: 'psloglist'
-    selection2:
-        Image|endswith:
+    selection_img:
+        - OriginalFileName: 'psloglist.exe'
+        - Image|endswith:
           - '\psloglist.exe'
           - '\psloglist64.exe'
-    flags:
-        CommandLine|contains:
-          - '-d'
-          - '/d'
-          - '-x'
-          - '/x'
-          - '-s'
-          - '/s'
-    other:
+    selection_flgs:
         CommandLine|contains|all:
             - 'security'
             - 'accepteula'
-    condition: (1 of selection*) or (flags and other)
+        CommandLine|contains:
+          - ' -d'
+          - ' /d'
+          - ' -x'
+          - ' /x'
+          - ' -s'
+          - ' /s'
+    condition: 1 of selection*
 falsepositives:
     - Another tool that uses the command line switches of PsLogList
     - Legitimate use of PsLogList by an administrator
diff --git a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_winrm.yml b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_winrm.yml
index 44e421b35..39a22be01 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_winrm.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_winrm.yml
@@ -1,10 +1,10 @@
-title: Suspicious Shells Spawn by WinRM
+title: Suspicious Processes Spawned by WinRM
 id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
-description: Detects suspicious shell spawn from WinRM host process
+description: Detects suspicious processes including shells spawnd from WinRM host process
 status: experimental
 author: Andreas Hunkeler (@Karneades), Markus Neis
 date: 2021/05/20
-modified: 2021/05/22
+modified: 2022/06/16
 tags:
     - attack.t1190
     - attack.initial_access
@@ -15,16 +15,17 @@ logsource:
     product: windows
 detection:
     selection:
-        ParentImage: '*\wsmprovhost.exe'
-        Image:
-            - '*\cmd.exe'
-            - '*\sh.exe'
-            - '*\bash.exe'
-            - '*\powershell.exe'
-            - '*\schtasks.exe'
-            - '*\certutil.exe'
-            - '*\whoami.exe'
-            - '*\bitsadmin.exe'
+        ParentImage|endswith: '\wsmprovhost.exe'
+        Image|endswith:
+            - '\cmd.exe'
+            - '\sh.exe'
+            - '\bash.exe'
+            - '\powershell.exe'
+            - '\wsl.exe'
+            - '\schtasks.exe'
+            - '\certutil.exe'
+            - '\whoami.exe'
+            - '\bitsadmin.exe'
     condition: selection
 falsepositives:
     - Legitimate WinRM usage
diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml
new file mode 100644
index 000000000..e4f7bac0a
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml
@@ -0,0 +1,25 @@
+title: Use of Sysinternals PsService
+id: 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f
+description: Detects usage of Sysinternals PsService for service reconnaissance or tamper
+status: experimental
+references:
+    - https://docs.microsoft.com/en-us/sysinternals/downloads/psservice
+author: Nasreddine Bencherchali
+date: 2022/06/16
+tags:
+    - attack.discovery
+    - attack.persistence
+    - attack.t1543.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - OriginalFileName: 'psservice.exe'
+        - Image|endswith:
+          - '\PsService.exe'
+          - '\PsService64.exe'
+    condition: selection
+falsepositives:
+    - Legitimate use of PsService by an administrator
+level: medium