diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml
index da2422704..809970e8b 100644
--- a/rules/windows/process_creation/win_system_exe_anomaly.yml
+++ b/rules/windows/process_creation/win_system_exe_anomaly.yml
@@ -30,6 +30,13 @@ detection:
             - '*\winlogon.exe'
             - '*\explorer.exe'
             - '*\taskhost.exe'
+            - '*\Taskmgr.exe'
+            - '*\sihost.exe'
+            - '*\RuntimeBroker.exe'
+            - '*\smartscreen.exe'
+            - '*\dllhost.exe'
+            - '*\audiodg.exe'
+            - '*\wlanext.exe'
     filter:
         Image:
             - 'C:\Windows\System32\\*'