diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml
index 3775bc795..05716fee9 100644
--- a/rules/network/net_mal_dns_cobaltstrike.yml
+++ b/rules/network/net_mal_dns_cobaltstrike.yml
@@ -11,11 +11,13 @@ references:
 logsource:
     category: dns
 detection:
-    selection:
+    selection1:
         query|startswith:
             - 'aaa.stage.' 
             - 'post.1'
-    condition: selection
+    selection2:
+        query|contains: '.stage.123456.'
+    condition: 1 of them
 falsepositives:
     - Unknown
 level: critical
diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml
index 043bcf55b..0f746e487 100644
--- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml
@@ -3,7 +3,9 @@ id: fd0f5778-d3cb-4c9a-9695-66759d04702a
 related:
     - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
       type: derived
-description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
+description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references"
+references: 
+    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
 status: experimental
 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
 date: 2019/11/08
diff --git a/rules/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/win_susp_lsass_dump_generic.yml
index 2856705cd..4b6ab1faf 100644
--- a/rules/windows/builtin/win_susp_lsass_dump_generic.yml
+++ b/rules/windows/builtin/win_susp_lsass_dump_generic.yml
@@ -4,7 +4,7 @@ description: Detects process handle on LSASS process with certain access mask
 status: experimental
 author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
 date: 2019/11/01
-modified: 2021/04/19
+modified: 2021/11/09
 references:
     - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
@@ -53,6 +53,9 @@ detection:
             - '\minionhost.exe'  # Cyberreason
             - '\VsTskMgr.exe'    # McAfee Enterprise
             - '\thor64.exe'      # THOR
+            - '\MicrosoftEdgeUpdate.exe'
+            - '\GamingServices.exe'
+            - '\svchost.exe'
         ProcessName|startswith:
             - C:\Windows\System32\
             - C:\Windows\SysWow64\
diff --git a/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml
new file mode 100644
index 000000000..42fc9bc23
--- /dev/null
+++ b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml
@@ -0,0 +1,30 @@
+title: Suspicious Cobalt Strike DNS Beaconing
+id: f356a9c4-effd-4608-bbf8-408afd5cd006
+status: experimental
+description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
+author: Florian Roth
+date: 2021/11/09
+references:
+    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
+tags:
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
+logsource:
+    product: windows
+    category: dns_query
+detection:
+    selection1:
+        QueryName|startswith:
+            - 'aaa.stage.' 
+            - 'post.1'
+    selection2:
+        QueryName|contains: '.stage.123456.'
+    condition: 1 of them
+fields:
+    - Image
+    - CommandLine
+falsepositives:
+    - Unknown
+level: critical
diff --git a/rules/network/net_susp_ipify.yml b/rules/windows/dns_query/dns_net_susp_ipify.yml
similarity index 100%
rename from rules/network/net_susp_ipify.yml
rename to rules/windows/dns_query/dns_net_susp_ipify.yml
diff --git a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml
index 5389761e7..1a817b30f 100644
--- a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml
+++ b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml
@@ -6,7 +6,7 @@ references:
     - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
 author: Florian Roth, Max Altgelt
 date: 2021/07/14
-modified: 2021/08/10
+modified: 2021/11/11
 tags:
     - attack.execution
 logsource:
@@ -32,6 +32,7 @@ detection:
             - ' >'
             - 'Out-File'
             - 'ConvertTo-Json'
+            - '-WindowStyle hidden -Verb runAs'  # VSCode behaviour if file cannot be written as current user
     condition: selection and not filter
 falsepositives:
     - Administrative scripts