diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv
index e65d695c5..688b858e6 100644
--- a/.github/workflows/known-FPs.csv
+++ b/.github/workflows/known-FPs.csv
@@ -19,7 +19,7 @@ cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20\.49\.150\.2
 bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151\.101\.64\.223
 9711de76-5d4f-4c50-a94f-21e4e8f8384d;Installation of TeamViewer Desktop;TeamViewer_Desktop\.exe
 96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;target\.exe
-9494479d-d994-40bf-a8b1-eea890237021;Suspicious Add Scheduled Task Parent;TeamViewer_\.exe
+9494479d-d994-40bf-a8b1-eea890237021;Scheduled Task Creation From Potential Suspicious Parent Location;.*
 81325ce1-be01-4250-944f-b4789644556f;Suspicius Schtasks From Env Var Folder;TVInstallRestore
 6ea3bf32-9680-422d-9f50-e90716b12a66;UAC Bypass Via Wsreset;EventType: DeleteKey
 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8;Suspicious Add Scheduled Task From User AppData Temp;TVInstallRestore
diff --git a/rules/windows/builtin/security/win_security_mal_service_installs.yml b/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml
similarity index 58%
rename from rules/windows/builtin/security/win_security_mal_service_installs.yml
rename to rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml
index 4b24319fd..4bb92e609 100644
--- a/rules/windows/builtin/security/win_security_mal_service_installs.yml
+++ b/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml
@@ -1,24 +1,22 @@
-title: Malicious Service Installations
+title: CosmicDuke Service Installation
 id: cb062102-587e-4414-8efa-dbe3c7bf19c6
 related:
     - id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
       type: derived
 status: test
-description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
+description: |
+    Detects the installation of a service named "javamtsup" on the system.
+    The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.
 references:
-    - https://awakesecurity.com/blog/threat-hunting-for-paexec/
-    - https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
     - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
 author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)
 date: 2017/03/27
 modified: 2022/10/09
 tags:
     - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1003
-    - car.2013-09-005
     - attack.t1543.003
     - attack.t1569.002
+    - detection.emerging_threats
 logsource:
     product: windows
     service: security
@@ -26,9 +24,8 @@ logsource:
 detection:
     selection:
         EventID: 4697
-    malsvc_apt29:
         ServiceName: 'javamtsup'
-    condition: selection and 1 of malsvc_*
+    condition: selection
 falsepositives:
-    - Unknown
+    - Unlikely
 level: critical
diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_parent.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml
similarity index 61%
rename from rules/windows/process_creation/proc_creation_win_schtasks_parent.yml
rename to rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml
index 3ba22320c..fb27e0f1c 100644
--- a/rules/windows/process_creation/proc_creation_win_schtasks_parent.yml
+++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml
@@ -1,32 +1,37 @@
-title: Suspicious Add Scheduled Task Parent
+title: Scheduled Task Creation From Potential Suspicious Parent Location
 id: 9494479d-d994-40bf-a8b1-eea890237021
 status: test
-description: Detects suspicious scheduled task creations from a parent stored in a temporary folder
+description: |
+    Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location.
+    Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
 references:
     - https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/
 author: Florian Roth (Nextron Systems)
 date: 2022/02/23
-modified: 2022/06/02
+modified: 2024/05/13
 tags:
     - attack.execution
     - attack.t1053.005
+    - detection.threat_hunting
 logsource:
     product: windows
     category: process_creation
 detection:
     selection:
-        Image|endswith: '\schtasks.exe'
-        CommandLine|contains: '/Create '
         ParentImage|contains:
+            - ':\Temp\'
             - '\AppData\Local\'
             - '\AppData\Roaming\'
             - '\Temporary Internet'
             - '\Users\Public\'
-    filter:
+            - '\Windows\Temp\'
+        Image|endswith: '\schtasks.exe'
+        CommandLine|contains: '/Create '
+    filter_optional_common:
         CommandLine|contains:
             - 'update_task.xml'
             - 'unattended.ini'
-    condition: selection and not 1 of filter*
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
     - Software installers that run from temporary folders and also install scheduled tasks
 level: medium
diff --git a/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml b/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml
index 780e9f825..756cc5f60 100644
--- a/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml
@@ -1,7 +1,9 @@
 title: Suspicious Executable File Creation
 id: 74babdd6-a758-4549-9632-26535279e654
 status: test
-description: Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
+description: |
+    Detect creation of suspicious executable file names.
+    Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
 references:
     - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
     - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/
@@ -15,7 +17,7 @@ logsource:
     product: windows
     category: file_event
 detection:
-    selection_double:
+    selection:
         TargetFilename|endswith:
             - ':\$Recycle.Bin.exe'
             - ':\Documents and Settings.exe'
@@ -24,7 +26,7 @@ detection:
             - ':\Recovery.exe'
             - '.bat.exe'
             - '.sys.exe'
-    condition: 1 of selection_*
+    condition: selection
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_format.yml b/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml
similarity index 63%
rename from rules/windows/process_creation/proc_creation_win_lolbin_format.yml
rename to rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml
index 273884d23..63b21f5f1 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_format.yml
+++ b/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml
@@ -1,12 +1,14 @@
-title: Format.com FileSystem LOLBIN
+title: Uncommon FileSystem Load Attempt By Format.com
 id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
 status: test
-description: Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs
+description: |
+    Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
 references:
     - https://twitter.com/0gtweet/status/1477925112561209344
     - https://twitter.com/wdormann/status/1478011052130459653?s=20
 author: Florian Roth (Nextron Systems)
 date: 2022/01/04
+modified: 2024/05/13
 tags:
     - attack.defense_evasion
 logsource:
@@ -16,14 +18,14 @@ detection:
     selection:
         Image|endswith: '\format.com'
         CommandLine|contains: '/fs:'
-    filter:
+    filter_main_known_fs:
         CommandLine|contains:
-            - '/fs:FAT'
             - '/fs:exFAT'
+            - '/fs:FAT'
             - '/fs:NTFS'
-            - '/fs:UDF'
             - '/fs:ReFS'
-    condition: selection and not 1 of filter*
+            - '/fs:UDF'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml b/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml
index 670794e70..af091c58d 100644
--- a/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml
+++ b/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml
@@ -15,13 +15,13 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection_mstsc:
+    selection:
         Image|endswith: '\ruby.exe'
         CommandLine|contains|all:
             - '-i '
             - '-u '
             - '-p '
-    condition: 1 of selection_*
+    condition: selection
 falsepositives:
     - Unknown
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml b/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml
index 17a02c1fc..3f13fb2a5 100644
--- a/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml
+++ b/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml
@@ -39,7 +39,7 @@ detection:
             - '\WinDefend'
             - '\wscsvc'
             - '\wuauserv'
-    condition: selection_reg_add and 1 of selection_cli_*
+    condition: all of selection_*
 falsepositives:
     - Unlikely
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml b/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml
index d4f4c7e67..c0f71c2de 100644
--- a/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml
+++ b/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml
@@ -22,9 +22,6 @@ detection:
             - ' /sc once '
             - '\Temp\'
     condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
     - Administrative activity
     - Software installation
diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml
index 42c273d37..332026d0e 100644
--- a/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml
+++ b/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml
@@ -18,21 +18,21 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    schtasks_exe:
+    selection:
         Image|endswith: '\schtasks.exe'
         CommandLine|contains|all:
             - '/delete'
             - '/tn'
         CommandLine|contains:
             # Add more important tasks
-            - '\Windows\SystemRestore\SR'
-            - '\Windows\Windows Defender\'
             - '\Windows\BitLocker'
+            - '\Windows\ExploitGuard'
+            - '\Windows\SystemRestore\SR'
+            - '\Windows\UpdateOrchestrator\'
+            - '\Windows\Windows Defender\'
             - '\Windows\WindowsBackup\'
             - '\Windows\WindowsUpdate\'
-            - '\Windows\UpdateOrchestrator\'
-            - '\Windows\ExploitGuard'
-    condition: all of schtasks_*
+    condition: selection
 falsepositives:
     - Unlikely
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml b/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml
index dfc7970b8..41d9ecf9d 100644
--- a/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml
+++ b/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml
@@ -19,7 +19,7 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    schtasks_exe:
+    selection:
         Image|endswith: '\schtasks.exe'
         CommandLine|contains|all:
             - '/Change'
@@ -27,14 +27,14 @@ detection:
             - '/disable'
         CommandLine|contains:
             # Add more important tasks
-            - '\Windows\SystemRestore\SR'
-            - '\Windows\Windows Defender\'
             - '\Windows\BitLocker'
+            - '\Windows\ExploitGuard'
+            - '\Windows\SystemRestore\SR'
+            - '\Windows\UpdateOrchestrator\'
+            - '\Windows\Windows Defender\'
             - '\Windows\WindowsBackup\'
             - '\Windows\WindowsUpdate\'
-            - '\Windows\UpdateOrchestrator\'
-            - '\Windows\ExploitGuard'
-    condition: all of schtasks_*
+    condition: selection
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml
index da5704365..b13d497c8 100644
--- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml
+++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml
@@ -44,7 +44,7 @@ detection:
         Image|endswith:
             - '\code-tunnel.exe'
             - '\code.exe'
-    condition: (1 of selection_image_* and not 1 of filter_main_image_*) or (1 of selection_parent_* and not 1 of filter_main_parent_*)
+    condition: (1 of selection_image_* and not 1 of filter_main_image_*) or (selection_parent_tunnel and not 1 of filter_main_parent_*)
 falsepositives:
     - Unknown
 level: high