diff --git a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml
index d9d77b85b..39b660156 100644
--- a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml
+++ b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml
@@ -4,7 +4,7 @@ status: experimental
 description: Detects shellcode injection by Metasploit's migrate and Empire's psinject
 author: Bhabesh Raj
 date: 2022/03/11
-modified: 2022/09/21
+modified: 2022/10/20
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
@@ -41,10 +41,18 @@ detection:
         GrantedAccess: 0x1F3FFF
         CallTrace|startswith: 'C:\Windows\System32\ntdll.dll'
     filter_dell_specifc:
-        SourceImage: C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe
-        TargetImage: C:\Windows\Explorer.EXE
+        SourceImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
+        TargetImage: 'C:\Windows\Explorer.EXE'
         GrantedAccess: 0x1F3FFF
         CallTrace|startswith: 'C:\Windows\System32\ntdll.dll'
+    filter_visual_studio:
+        SourceImage:
+            - 'C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\PerfWatson2.exe'
+            - 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\PerfWatson2.exe'
+        TargetImage:
+            - 'C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.exe'
+            - 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe'
+        CallTrace|startswith: 'C:\Windows\System32\ntdll.dll'
     condition: selection and not 1 of filter_*
 falsepositives:
     - Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well
diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml
index 3e97012a9..8c58a608f 100644
--- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml
+++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml
@@ -10,7 +10,7 @@ references:
     - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
     - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
 date: 2020/05/02
-modified: 2022/09/21
+modified: 2022/10/20
 logsource:
     product: windows
     category: registry_delete
@@ -44,9 +44,13 @@ detection:
         Image|contains: 'peazip'
         # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
         TargetObject|contains: '\PeaZip.'
+    filter_everything:
+        Image|endswith: '\Everything.exe'
+        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
+        TargetObject|contains: '\Everything.'
     condition: selection and not 1 of filter_*
 falsepositives:
-    - Unknown
+    - Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered
 level: medium
 tags:
     - attack.defense_evasion
diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml
index adb130442..404d64bdc 100644
--- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml
+++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml
@@ -12,7 +12,7 @@ references:
     - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
     - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
 date: 2019/10/25
-modified: 2022/10/18
+modified: 2022/10/20
 logsource:
     category: registry_set
     product: windows
@@ -135,7 +135,7 @@ detection:
         Details: 'C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe'
     filter_everything:
         TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\Everything'
-        Details: '"C:\Program Files\Everything\Everything.exe" -startup'
+        Details|endswith: '\Everything\Everything.exe" -startup' # We remove the starting part as it could be installed in different locations
     condition: all of current_version_* and not 1 of filter_*
 fields:
     - SecurityID