diff --git a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml
index bf4fd5226..f8e06f0a8 100644
--- a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml
+++ b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml
@@ -7,6 +7,7 @@ tags:
     - attack.t1059.001
 author: Florian Roth (rule), Jonhnathan Ribeiro
 date: 2017/03/05
+modified: 2022/02/11
 logsource:
     product: windows
     service: powershell
@@ -22,7 +23,7 @@ detection:
         - ' -w '
         - 'hidden'
         - '-noni'
-        - '-nop' 
+        - '-nop'
         - ' -c '
         - 'iex'
         - 'New-Object'
@@ -50,7 +51,9 @@ detection:
         - 'New-Object'
         - 'Net.WebClient'
         - '.Download'
-    condition: all of convert_b64 or all of iex_selection or all of enc_selection or all of reg_selection or all of webclient_selection or all of iex_webclient
+    filter_chocolatey:
+        - '(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'
+    condition: (all of convert_b64 or all of iex_selection or all of enc_selection or all of reg_selection or all of webclient_selection or all of iex_webclient) and not 1 of filter_*
 falsepositives:
     - Penetration tests
 level: high
diff --git a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml
index 3c9fe2e92..a9c683b3b 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml
@@ -10,7 +10,7 @@ tags:
     - attack.t1059.001
 author: Florian Roth (rule), Jonhnathan Ribeiro
 date: 2017/03/05
-modified: 2021/10/18
+modified: 2022/02/11
 logsource:
     product: windows
     category: ps_module
@@ -28,7 +28,7 @@ detection:
             - ' -w '
             - 'hidden'
             - '-noni'
-            - '-nop' 
+            - '-nop'
             - ' -c '
             - 'iex'
             - 'New-Object'
@@ -60,7 +60,9 @@ detection:
             - 'New-Object'
             - 'Net.WebClient'
             - '.Download'
-    condition: 1 of selection*
+    filter_chocolatey:
+        ContextInfo|contains: '(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'
+    condition: 1 of selection* and not 1 of filter*
 falsepositives:
     - Penetration tests
 level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml
index 7c600eb97..3db122c63 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml
@@ -4,7 +4,7 @@ status: experimental
 description: Detecting use WinAPI Functions in PowerShell
 author: Nikita Nazarov, oscd.community
 date: 2020/10/06
-modified: 2021/10/16
+modified: 2022/02/11
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 tags:
@@ -38,7 +38,7 @@ detection:
             - 'ReadProcessMemory'
             - 'CreateRemoteThread'
             - 'AdjustTokenPrivileges'
-            - 'WriteByte'
+            # - 'WriteByte'  # FP with .NET System.IO.FileStream
             - 'WriteInt32'
             - 'OpenThreadToken'
             - 'PtrToString'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml
index 5c11057fb..e5f445760 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml
@@ -11,7 +11,7 @@ tags:
     - attack.t1059.001
 author: frack113
 date: 2021/10/20
-modified: 2021/11/26
+modified: 2022/02/11
 logsource:
     product: windows
     category: ps_script
@@ -24,8 +24,9 @@ detection:
             - 'bypass'
             - 'RemoteSigned'
     filter:
-        ParentImage: 
+        - ParentImage:
             - 'C:\ProgramData\chocolatey\choco.exe'
+        - ScriptBlockText|contains: '(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')'
     condition: cmdlet and option and not filter
 falsepositives:
     - Administrator script
diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml
index 287004ebb..4b18384aa 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml
@@ -10,7 +10,7 @@ tags:
     - attack.t1059.001
 author: Florian Roth (rule), Jonhnathan Ribeiro
 date: 2017/03/05
-modified: 2021/10/18
+modified: 2022/02/11
 logsource:
     product: windows
     category: ps_script
@@ -28,7 +28,7 @@ detection:
             - ' -w '
             - 'hidden'
             - '-noni'
-            - '-nop' 
+            - '-nop'
             - ' -c '
             - 'iex'
             - 'New-Object'
@@ -60,7 +60,9 @@ detection:
             - 'New-Object'
             - 'Net.WebClient'
             - '.Download'
-    condition: 1 of select*
+    filter_chocolatey:
+        ScriptBlockText|contains: '(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'
+    condition: 1 of select* and not 1 of filter*
 falsepositives:
     - Penetration tests
 level: high