diff --git a/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml b/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml
new file mode 100755
index 000000000..3d9c64bd7
--- /dev/null
+++ b/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml
@@ -0,0 +1,32 @@
+title: Turla Group Lateral Movement
+id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
+status: experimental
+description: Detects automated lateral movement by Turla group
+references:
+    - https://securelist.com/the-epic-turla-operation/65545/
+tags:
+    - attack.g0010
+    - attack.execution
+    - attack.t1059
+    - attack.lateral_movement
+    - attack.t1077 # an old one
+    - attack.t1021.002
+    - attack.discovery
+    - attack.t1083
+    - attack.t1135
+author: Markus Neis
+date: 2017/11/07
+modified: 2021/09/19
+logsource:
+    category: process_creation
+    product: windows
+detection:
+   selection:
+      CommandLine:
+         - 'net use \\%DomainController%\C$ "P@ssw0rd" *'
+         - 'dir c:\\*.doc* /s'
+         - 'dir %TEMP%\\*.exe'
+   condition: selection
+level: critical
+falsepositives:
+   - Unknown
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_apt_turla_commands.yml b/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml
old mode 100755
new mode 100644
similarity index 74%
rename from rules/windows/process_creation/win_apt_turla_commands.yml
rename to rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml
index 61b55cf12..41af8a48f
--- a/rules/windows/process_creation/win_apt_turla_commands.yml
+++ b/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml
@@ -1,5 +1,5 @@
-action: global
 title: Turla Group Lateral Movement
+id: 75925535-ca97-4e0a-a850-00b5c00779dc
 status: experimental
 description: Detects automated lateral movement by Turla group
 references:
@@ -16,24 +16,10 @@ tags:
     - attack.t1135
 author: Markus Neis
 date: 2017/11/07
-modified: 2020/08/27
+modified: 2021/09/19
 logsource:
     category: process_creation
     product: windows
-falsepositives:
-   - Unknown
----
-id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
-detection:
-   selection:
-      CommandLine:
-         - 'net use \\%DomainController%\C$ "P@ssw0rd" *'
-         - 'dir c:\\*.doc* /s'
-         - 'dir %TEMP%\\*.exe'
-   condition: selection
-level: critical
----
-id: 75925535-ca97-4e0a-a850-00b5c00779dc
 detection:
    netCommand1:
       CommandLine: 'net view /DOMAIN'
@@ -44,3 +30,5 @@ detection:
    timeframe: 1m
    condition: netCommand1 | near netCommand2 and netCommand3
 level: medium
+falsepositives:
+   - Unknown
diff --git a/rules/windows/process_creation/process_creation_win_exchange_transportagent.yml b/rules/windows/process_creation/process_creation_win_exchange_transportagent.yml
index a498310c1..564270ff6 100644
--- a/rules/windows/process_creation/process_creation_win_exchange_transportagent.yml
+++ b/rules/windows/process_creation/process_creation_win_exchange_transportagent.yml
@@ -1,5 +1,5 @@
 title: MSExchange Transport Agent Installation
-id: 83809e84-4475-4b69-bc3e-4aad856861
+id: 83809e84-4475-4b69-bc3e-4aad8568612f
 status: experimental
 description: Detects the Installation of a Exchange Transport Agent
 references: