diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index f9e95e5f2..c6e644da9 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -44,4 +44,4 @@ Link the fixed issues here, in case your commit fixes issues with rules or code
 
 ### SigmaHQ Rule Creation Conventions
 
-- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md)
+- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/)
diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml
index b6f1154d2..6b0778d5f 100644
--- a/.github/workflows/greetings.yml
+++ b/.github/workflows/greetings.yml
@@ -29,6 +29,6 @@ jobs:
             
             It looks like this is your first pull request on the Sigma rules repository!
 
-            Please make sure to read the [SigmaHQ conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md) document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
+            Please make sure to read the [SigmaHQ conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/) document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
 
             Thanks again, and welcome to the Sigma community! :smiley:
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 5a03fa60b..e5f6d3ada 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -48,6 +48,6 @@ git push origin your-feature-branch
 
 ## 📚 Adding or Updating Detection Rules
 
-To update or contribute a new rule please make sure to follow the guidelines in the [SigmaHQ conventions document](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md). Consider installing the [VsCode Sigma Extension](https://marketplace.visualstudio.com/items?itemName=humpalum.sigma) for auto completion and quality of life features.
+To update or contribute a new rule please make sure to follow the guidelines in the [SigmaHQ conventions documents](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq). Consider installing the [VsCode Sigma Extension](https://marketplace.visualstudio.com/items?itemName=humpalum.sigma) for auto completion and quality of life features.
 
 Thank you for contributing to Sigma! 🧙‍♂️
diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
index 580ee4f7e..507343c29 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/danielbohannon/Invoke-Obfuscation
 author: frack113
 date: 2022/12/27
-modified: 2023/03/24
+modified: 2024/08/10
 tags:
     - attack.defense_evasion
     - attack.t1027.009
@@ -27,7 +27,7 @@ detection:
         - ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]'
         # - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
         - ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f'  # trigger on at least two placeholders. One might be used for legitimate string formatting
-        - ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}'
+        - ScriptBlockText|re: '(?i)\$\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\}'
     filter_chocolatey:
         ScriptBlockText|contains:
             - 'it will return true or false instead'  # Chocolatey install script https://github.com/chocolatey/chocolatey
diff --git a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml
index a1aceed79..f7be94afa 100644
--- a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml
+++ b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/danielbohannon/Invoke-Obfuscation
 author: frack113
 date: 2022/12/27
-modified: 2022/12/30
+modified: 2024/08/09
 tags:
     - attack.defense_evasion
     - attack.t1027.009
@@ -26,7 +26,7 @@ detection:
         - CommandLine|re: '\w+`(\w+|-|.)`[\w+|\s]'
         # - CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
         - CommandLine|re: '"(\{\d\})+"\s*-f'
-        - CommandLine|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}'
+        - CommandLine|re: '(?i)\$\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\}'
     condition: selection
 falsepositives:
     - Unknown