diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml
index 1213ebb0b..f74a18219 100644
--- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml
+++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml
@@ -8,7 +8,7 @@ references:
     - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
 author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex)
 date: 2022/08/14
-modified: 2022/09/28
+modified: 2022/09/29
 tags:
     - attack.defense_evasion
     - attack.persistence
@@ -427,6 +427,9 @@ detection:
             - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
             - 'C:\Windows\System32\backgroundTaskHost.exe'
         ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
+    filter_cleanmgr:
+        Image: 'C:\Windows\System32\cleanmgr.exe'
+        ImageLoaded|endswith: '\ssshim.dll'
     condition: selection and not 1 of filter_*
 falsepositives:
     - Legitimate applications loading their own versions of the DLLs mentioned in this rule
diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
index c018ae144..ebc4aecc5 100644
--- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
+++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
@@ -6,7 +6,7 @@ author: Nasreddine Bencherchali
 references:
     - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
 date: 2022/07/17
-modified: 2022/09/10
+modified: 2022/09/29
 tags:
     - attack.defense_evasion
     - attack.t1070
@@ -23,12 +23,17 @@ detection:
             - '\Downloads\'
             - '\AppData\Local\Temp\'
             - 'C:\PerfLogs\'
-    filter:
+    filter_generic:
         - Image|endswith: '\msiexec.exe'
         - ImageLoaded|startswith:
             - 'C:\Program Files\'
             - 'C:\Program Files (x86)\'
-    condition: selection and not filter
+    filter_cleanmgr:
+        # Example CLI that generates this event: C:\WINDOWS\system32\cleanmgr.exe /autocleanstoragesense /d C:
+        # Sometimes the DLL gets loaded from %temp%
+        Image: 'C:\Windows\System32\cleanmgr.exe'
+        ImageLoaded|endswith: '\ssshim.dll'
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml b/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml
index 03df88539..a6e6506f3 100755
--- a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml
+++ b/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml
@@ -6,18 +6,22 @@ references:
     - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
 author: Kutepov Anton, oscd.community
 date: 2019/10/23
-modified: 2022/03/26
+modified: 2022/09/29
 logsource:
     category: registry_add
     product: windows
 detection:
     selection:
         EventType: 'CreateKey'  # don't want DeleteKey events
-        TargetObject|contains|all: 
+        TargetObject|contains|all:
             - 'HKU\'
             - 'Classes\CLSID\'
             - '\TreatAs'
-    condition: selection
+    filter_svchost:
+        # Example of target object by svchost
+        # TargetObject: HKU\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs
+        Image: 'C:\WINDOWS\system32\svchost.exe'
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Maybe some system utilities in rare cases use linking keys for backward compatibility
 level: medium
diff --git a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml
index 9313a2ea7..6b453e15e 100644
--- a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml
@@ -19,10 +19,15 @@ detection:
         Image|endswith: '\OfficeClickToRun.exe'
     filter_office2:
         Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
+    filter_svchost:
+        # Example of target object by svchost
+        # TargetObject: HKLM\SOFTWARE\Microsoft\MsixRegistryCompatibility\Package\Microsoft.Paint_11.2208.6.0_x64__8wekyb3d8bbwe\User\SOFTWARE\Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
+        # TargetObject: HKU\S-1-5-21-1000000000-000000000-000000000-0000_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
+        Image: 'C:\WINDOWS\system32\svchost.exe'
     condition: selection and not 1 of filter_*
 falsepositives:
     - Legitimate use
 level: medium
 tags:
-  - attack.persistence
-  - attack.t1546.015
+    - attack.persistence
+    - attack.t1546.015