diff --git a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
index 4b3adbbbf..f7b43d2da 100644
--- a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
+++ b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
@@ -21,13 +21,13 @@ detection:
         - Image|endswith: '\esentutl.exe'
           CommandLine|contains:
             - 'vss'
-            - '/m'
-            - '/y'
+            - ' /m '
+            - ' /y '
         - CommandLine|contains:
             - '\windows\ntds\ntds.dit'
             - '\config\sam'
             - '\config\security'
-            - '\config\system'
+            - '\config\system '  # space needed to avoid false positives with \config\systemprofile\
             - '\repair\sam'
             - '\repair\system'
             - '\repair\security'
diff --git a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
index c940f99f4..8d1519e4b 100644
--- a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
+++ b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
@@ -59,7 +59,7 @@ detection:
             - '\schtasks.exe'
             - '\smartscreen.exe'
             - '\spoolsv.exe'
-            - '\taskhost.exe'
+            # - '\taskhost.exe'  # disabled due to false positives
             - '\tstheme.exe'
             - '\userinit.exe'
             - '\vssadmin.exe'