diff --git a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml
index 3cff40bd6..58ab11940 100644
--- a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml
+++ b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml
@@ -21,6 +21,7 @@ detection:
         Image|endswith: 
             - '\WmiPrvSE.exe'
             - '\mmc.exe'
+            - 'C:\Windows\System32\NhNotifSys.exe'
             - '\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe'
             - '\mscorsvw.exe'
         Image|startswith:
diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
index 2af835cb6..fedd7875b 100755
--- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
+++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
@@ -3,7 +3,7 @@ id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
 description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
 status: experimental
 date: 2019/10/27
-modified: 2021/11/20
+modified: 2021/11/25
 author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
 references:
     - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
@@ -47,6 +47,7 @@ detection:
             - '\Microsoft VS Code\Code.exe'
             - '\aurora-agent-64.exe'
             - '\aurora-agent.exe'
+            - 'C:\WINDOWS\system32\NhNotifSys.exe'
             - 'C:\Windows\Microsoft.NET\Framework\*\NGenTask.exe'
     condition: ( selection1 or selection2 or selection3 ) and not filter
 fields:
diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
index b87887648..b1476b064 100755
--- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
+++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
@@ -193,7 +193,7 @@ detection:
     filter:
         - Details: '(Empty)'
         - TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount'
-    condition: main_selection or
+    condition: ( main_selection or
                session_manager_base and session_manager or
                current_version_base and current_version or
                nt_current_version_base and nt_current_version or
@@ -205,7 +205,7 @@ detection:
                classes_base and classes or
                scripts_base and scripts or
                winsock_parameters_base and winsock_parameters or
-               system_control_base and system_control and not filter
+               system_control_base and system_control ) and not filter
 fields:
     - SecurityID
     - ObjectName