diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml
index 1b882804c..fb9d2dcf9 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml
@@ -7,7 +7,7 @@ references:
     - https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
 author: Florian Roth
 date: 2021/04/23
-modified: 2022/10/09
+modified: 2023/01/24
 tags:
     - attack.credential_access
     - attack.t1552.004
@@ -18,7 +18,9 @@ logsource:
 detection:
     selection:
         ScriptBlockText|contains: 'Export-PfxCertificate'
-    condition: selection
+    filter_moduleexport:
+        ScriptBlockText|contains: 'CmdletsToExport = @('
+    condition: selection and not 1 of filter*
 falsepositives:
     - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
 level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
index 07d60631b..cad0c455c 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/danielbohannon/Invoke-Obfuscation
 author: frack113
 date: 2022/12/27
-modified: 2023/01/03
+modified: 2023/01/24
 tags:
     - attack.defense_evasion
     - attack.t1027.009
@@ -26,7 +26,7 @@ detection:
         #   ${e`Nv:pATh}
         - ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]'
         #- ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
-        - ScriptBlockText|re: '"(\{\d\})+"\s*-f'
+        - ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f'  # trigger on at least two placeholders. One might be used for legitimate string formatting
         - ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}'
     filter:
         ScriptBlockText|contains: 'it will return true or false instead'  # Chocolatey install script https://github.com/chocolatey/chocolatey
diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml
index 8207a77da..409a6a154 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/Wh04m1001/SysmonEoP
 author: frack113, Tim Shelton (update fp)
 date: 2022/12/05
-modified: 2023/01/18
+modified: 2023/01/24
 tags:
     - attack.privilege_escalation
     - attack.defense_evasion
@@ -62,6 +62,8 @@ detection:
         ParentImage|endswith: '\invcol.exe'
         ParentCommandLine|contains: 'C:\ProgramData\Dell\UpdateService\'
         Image|endswith: '\cmd.exe'
+    filter_empty_parent1:  # Most probably SetupHost.exe during Windows updates/upgrades; See comment on rule id: f4bbd493-b796-416e-bbf2-121235348529
+        CommandLine: "powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';"
     condition: all of selection_* and not 1 of filter_*
 falsepositives:
     - Unknown