diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml
index f568846fa..0c68b7242 100644
--- a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml
+++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml
@@ -9,7 +9,7 @@ references:
     - Internal Research
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-08-12
-modified: 2024-04-15
+modified: 2025-08-05
 tags:
     - attack.defense-evasion
     - attack.t1036
@@ -64,6 +64,11 @@ detection:
         TargetFilename|endswith:
             - '.ps1'
             - '.bat'
+    filter_main_clipchamp:
+        Image: 'C:\Windows\system32\svchost.exe'
+        TargetFilename|contains|all:
+            - 'C:\Program Files\WindowsApps\Clipchamp'
+            - '.ps1'
     condition: 1 of selection_* and not 1 of filter_main_*
 falsepositives:
     - Unknown