diff --git a/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml
index 4fa3403d7..138df7b91 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml
@@ -6,7 +6,7 @@ references:
     - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
 author: Tim Rauch
 date: 2022/09/28
-modified: 2022/11/22
+modified: 2022/11/23
 tags:
     - attack.execution
     - attack.t1059
@@ -36,10 +36,11 @@ detection:
         ParentCommandLine|contains:
             - '-k apphost -s AppHostSvc'
             - '-k imgsvc'
-            - '-k netsvcs -p -s NetSetupSvc'
             - '-k LocalSystemNetworkRestricted -p -s NgcSvc'
-            - '-k wsappx -p -s ClipSVC'
+            - '-k netsvcs -p -s NetSetupSvc'
             - '-k netsvcs -p -s wlidsvc'
+            - '-k wsappx -p -s AppXSvc'
+            - '-k wsappx -p -s ClipSVC'
             - 'C:\Program Files (x86)\Dropbox\Client\'
             - 'C:\Program Files\Dropbox\Client\'
     condition: selection and not filter