diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml
index ac6cdf56d..3775bc795 100644
--- a/rules/network/net_mal_dns_cobaltstrike.yml
+++ b/rules/network/net_mal_dns_cobaltstrike.yml
@@ -4,9 +4,10 @@ status: experimental
 description: Detects suspicious DNS queries known from Cobalt Strike beacons
 author: Florian Roth
 date: 2018/05/10
-modified: 2020/08/27
+modified: 2021/03/24
 references:
     - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
 logsource:
     category: dns
 detection:
@@ -17,7 +18,7 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
+level: critical
 tags:
     - attack.command_and_control
     - attack.t1071 # an old one
diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml
index fb74d50bf..0504ec1d4 100644
--- a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml
@@ -17,7 +17,7 @@ falsepositives:
 level: high
 detection:
     selection_1:
-        - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
+        - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
     condition: selection and selection_1
 ---
 logsource:
diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/powershell/powershell_cmdline_special_characters.yml
index ec328a9a2..d4c131fb2 100644
--- a/rules/windows/powershell/powershell_cmdline_special_characters.yml
+++ b/rules/windows/powershell/powershell_cmdline_special_characters.yml
@@ -26,7 +26,7 @@ detection:
         CommandLine|re: '.*{.*{.*{.*{.*{.*'
     selection4:
         Image|endswith: '\powershell.exe'
-        CommandLine|re: '.*^.*^.*^.*^.*^.*'
+        CommandLine|re: '.*\^.*\^.*\^.*\^.*\^.*'
     selection5:
         Image|endswith: '\powershell.exe'
         CommandLine|re: '.*`.*`.*`.*`.*`.*'
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml
index 62f796ce2..ac20a73c2 100644
--- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml
@@ -17,10 +17,10 @@ logsource:
 detection:
     selection_1:
         EventID: 4104
-        ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
+        ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c/c' # FPs with |\/r
     selection_2:
         EventID: 4103
-        Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
+        Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
     condition: selection_1 or selection_2
 falsepositives:
     - Unknown
diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
index 30cb9b428..8d89e217b 100644
--- a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
+++ b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
@@ -33,5 +33,5 @@ fields:
     - Image
 falsepositives:
     - System administrator Usage
-    - Penetration test 
-level: high
\ No newline at end of file
+    - Penetration test
+level: medium 
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml
index 248c69830..caeadc4e8 100644
--- a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml
@@ -16,7 +16,7 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
+        CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
     condition: selection
 falsepositives:
     - Unknown
diff --git a/rules/windows/process_creation/win_susp_rar_flags.yml b/rules/windows/process_creation/win_susp_rar_flags.yml
index 67e7d2e28..16413091f 100644
--- a/rules/windows/process_creation/win_susp_rar_flags.yml
+++ b/rules/windows/process_creation/win_susp_rar_flags.yml
@@ -11,8 +11,7 @@ tags:
     - attack.collection
     - attack.t1560.001
     - attack.exfiltration # an old one  
-    - attack.t1002        # an old one  
-
+    - attack.t1002        # an old one
 logsource:
     category: process_creation
     product: windows