diff --git a/rules/windows/process_creation/proc_creation_win_susp_parents.yml b/rules/windows/process_creation/proc_creation_win_susp_parents.yml
index 76594311d..bab96368d 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_parents.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_parents.yml
@@ -23,11 +23,13 @@ detection:
          - '\csrss.exe'
          - '\certutil.exe'
          - '\schtasks.exe'
+         - '\eventvwr.exe'
    filter_special:
       Image|endswith:
          - '\WerFault.exe'
          - '\wermgr.exe'
          - '\conhost.exe'  # csrss.exe, certutil.exe
+         - '\mmc.exe'      # eventvwr.exe
 condition: selection or ( selection_special and not filter_special )
 falsepositives:
    - Unknown