diff --git a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml
index 360d7c36d..396ed5fad 100644
--- a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml
+++ b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml
@@ -3,13 +3,13 @@ id: fe6e002f-f244-4278-9263-20e4b593827f
 description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
 status: experimental
 date: 2019/09/12
-modified: 2021/12/03
+modified: 2021/12/04
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.execution
     - attack.t1059.001
 references:
-    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
+    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html
 logsource:
     product: windows
     category: image_load
@@ -18,9 +18,12 @@ detection:
         Description: 'System.Management.Automation'
         ImageLoaded|contains: 'System.Management.Automation'
     filter:
-        Image|endswith: 
+        - Image|endswith:
             - '\powershell.exe'
             - '\mscorsvw.exe'
+        - Image|startswith:
+            - 'C:\Program Files (x86)\Microsoft Visual Studio\'
+            - 'C:\Program Files\Microsoft Visual Studio\'
     condition: selection and not filter
 falsepositives:
     - Unknown
diff --git a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml
index e4b181dcb..8dd350f87 100644
--- a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml
+++ b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml
@@ -3,7 +3,7 @@ id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
 description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.
 status: experimental
 date: 2020/05/02
-modified: 2021/12/03
+modified: 2021/12/04
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.collection
@@ -18,13 +18,8 @@ detection:
     selection:
         ImageLoaded|endswith: '\System.Drawing.ni.dll'
     filter:
-        Image|endswith: 
-            - '\WmiPrvSE.exe'
-            - '\mmc.exe'
-            - '\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe'
-            - '\mscorsvw.exe'
-            - '\ServiceHub.Host.CLR.x86.exe'
-            - '\ServiceHub.ThreadedWaitDialog.exe'
+        # The number of false positives was too high - we had to do this broader filter 
+        # based on the following paths that shouldn't be writable to an unprivileged user
         Image|startswith:
             - 'C:\Program Files\'
             - 'C:\Program Files (x86)\'