diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml
index d6b33d77e..82d8dd88d 100755
--- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml
+++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml
@@ -79,6 +79,6 @@ detection:
         TargetImage: C:\Windows\system32\svchost.exe
         GrantedAccess: '0x1000'
     condition: selection and not 1 of filter_main_*
-filter_main_:
+falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml
index 13624fa16..b82d19826 100644
--- a/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml
+++ b/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml
@@ -4,7 +4,7 @@ status: test
 description: Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject
 author: Bhabesh Raj
 date: 2022/03/11
-modified: 2022/12/20
+modified: 2023/10/17
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
@@ -61,7 +61,6 @@ detection:
         SourceImage: 'C:\Windows\System32\Wbem\Wmiprvse.exe'
         TargetImage: 'C:\Windows\system32\lsass.exe'
         CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll'
-        CallTrace|contains: '\System.ni.dll+'
     condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml
index e571be23a..a325b4f30 100644
--- a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml
+++ b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml
@@ -11,7 +11,7 @@ references:
     - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/08/01
-modified: 2023/10/06
+modified: 2023/10/17
 tags:
     - attack.persistence
     - attack.privilege_escalation
@@ -25,10 +25,14 @@ detection:
         - OriginalFileName: 'sdbinst.exe'
     filter_main_legit_ext:
         CommandLine|contains: '.sdb'
-    filter_main_svchost:
+    filter_main_svchost1:
         ParentImage|endswith: ':\Windows\System32\svchost.exe'
         Image|endswith: ':\Windows\System32\sdbinst.exe'
         CommandLine|contains: ' -m -bg'
+    filter_main_svchost2:
+        ParentImage|endswith: ':\Windows\System32\svchost.exe'
+        Image|endswith: ':\Windows\System32\sdbinst.exe'
+        CommandLine|endswith: ' -mm'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown