diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
index 800138fc3..45f58b00c 100755
--- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
+++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
@@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential
 author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov,
     oscd.community (update)
 date: 2017/02/16
-modified: 2021/11/22
+modified: 2021/11/27
 references:
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
     - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
@@ -51,6 +51,7 @@ detection:
         SourceImage|endswith: 
             - '\PROCEXP64.EXE'
             - '\PROCEXP.EXE'
+            - 'C:\WINDOWS\system32\taskhostw.exe'
         GrantedAccess: '0x1410'
     filter5:
         SourceImage|startswith: 'C:\ProgramData\VMware\VMware Tools\'
diff --git a/rules/windows/process_access/win_susp_proc_access_lsass.yml b/rules/windows/process_access/win_susp_proc_access_lsass.yml
index 4787aa3a6..0d4825315 100644
--- a/rules/windows/process_access/win_susp_proc_access_lsass.yml
+++ b/rules/windows/process_access/win_susp_proc_access_lsass.yml
@@ -55,6 +55,7 @@ detection:
             - 'C:\WINDOWS\system32\taskmgr.exe'
             - 'C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe'
             - 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
+            - 'C:\WINDOWS\system32\taskhostw.exe'
     # Windows Defender
     filter2:
         SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'