diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
index 65cf516b8..ac71e0388 100644
--- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
+++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
@@ -3,7 +3,7 @@ id: db809f10-56ce-4420-8c86-d6a7d793c79c
 description: Raw disk access using illegitimate tools, possible defence evasion
 author: Teymur Kheirkhabarov, oscd.community
 date: 2019/10/22
-modified: 2021/12/04
+modified: 2021/12/06
 references:
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 tags:
@@ -37,6 +37,7 @@ detection:
             - '\svchost.exe'
             - 'C:\Windows\System32\taskhostw.exe'
             - 'C:\Windows\System32\SrTasks.exe'
+            - 'C:\Windows\System32\dllhost.exe'
     filter_3:
         ProcessId: 4
     condition: not filter_1 and not filter_2 and not filter_3
diff --git a/rules/windows/registry_event/sysmon_taskcache_entry.yml b/rules/windows/registry_event/sysmon_taskcache_entry.yml
index 413657014..de4456fe5 100644
--- a/rules/windows/registry_event/sysmon_taskcache_entry.yml
+++ b/rules/windows/registry_event/sysmon_taskcache_entry.yml
@@ -7,7 +7,7 @@ tags:
   - attack.t1053
   - attack.t1053.005
 date: 2021/06/18
-modified: 2021/12/04
+modified: 2021/12/06
 references:
   - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
 author: Syed Hasan (@syedhasan009)
@@ -22,6 +22,7 @@ detection:
     TargetObject|contains:
       - 'Microsoft\Windows\UpdateOrchestrator'
       - 'Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index'
+      - 'Microsoft\Windows\Flighting\OneSettings\RefreshCache\Index'
   condition: selection and not filter
 falsepositives:
   - Unknown