diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml
index a25e7f125..a73d5208c 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml
@@ -7,7 +7,7 @@ references:
     - https://tools.thehacker.recipes/mimikatz/modules
 author: Florian Roth (rule), David ANDRE (additional keywords)
 date: 2021/12/20
-modified: 2022/09/27
+modified: 2023/01/19
 logsource:
     category: process_creation
     product: windows
@@ -62,18 +62,24 @@ detection:
             - 'token::'      #Mimikatz
             - 'vault::cred'     #Mimikatz
             - 'vault::list'     #Mimikatz
-            - ' p::d '  # Mimikatz 
+            - ' p::d '  # Mimikatz
             - ';iex('  # PowerShell IEX
             - 'MiniDump'  # Process dumping method apart from procdump
             - 'net user '
-    filter:
+    filter_ping:
         CommandLine: 'ping 127.0.0.1 -n 5'
     filter_vs:
         Image|endswith: '\PING.EXE'
         ParentCommandLine|contains: '\DismFoDInstall.cmd'
     filter_config_mgr:
         ParentImage|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
-    condition: all of selection* and not 1 of filter*
+    filter_java:
+        ParentImage|startswith: 'C:\Program Files (x86)\Java\'
+        ParentImage|endswith: '\bin\javaws.exe'
+        Image|startswith: 'C:\Program Files (x86)\Java\'
+        Image|endswith: '\bin\jp2launcher.exe'
+        CommandLine|contains: ' -ma '
+    condition: all of selection* and not 1 of filter_*
 falsepositives:
     - Administrative activity
     - Scripts and administrative tools used in the monitored environment
diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml
index f2b6f5703..5010d5f48 100644
--- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml
+++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml
@@ -10,7 +10,7 @@ references:
     - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/05/02
-modified: 2022/10/20
+modified: 2023/01/19
 tags:
     - attack.defense_evasion
     - attack.t1112
@@ -51,6 +51,13 @@ detection:
         Image|endswith: '\Everything.exe'
         # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
         TargetObject|contains: '\Everything.'
+    filter_uninstallers:
+        # This image path is linked with different uninstallers when running as admin unfortunately
+        Image|startswith: 'C:\Windows\Installer\MSI'
+    filter_java:
+        Image|startswith: 'C:\Program Files (x86)\Java\'
+        Image|endswith: '\installer.exe'
+        TargetObject|contains: '\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}'
     condition: selection and not 1 of filter_*
 falsepositives:
     - Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered
diff --git a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml
index efb7e3aed..11fdecf90 100644
--- a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml
+++ b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml
@@ -7,7 +7,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
 author: Mateusz Wydra, oscd.community
 date: 2020/10/13
-modified: 2022/09/21
+modified: 2023/01/19
 tags:
     - attack.defense_evasion
     - attack.t1218
@@ -21,11 +21,14 @@ detection:
         TargetObject|contains:
             - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
             - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
-    filter:
+    filter_atbroker:
         Image: 'C:\Windows\system32\atbroker.exe'
         TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
         Details: '(Empty)'
-    condition: selection and not filter
+    filter_uninstallers:
+        Image|startswith: 'C:\Windows\Installer\MSI'
+        TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Creation of non-default, legitimate at usage
 level: medium
diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml
index 122227129..8284673f3 100644
--- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml
+++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml
@@ -12,7 +12,7 @@ references:
     - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2022/12/14
+modified: 2023/01/19
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -20,10 +20,10 @@ logsource:
     category: registry_set
     product: windows
 detection:
-    wow_current_version_base:
+    selection_wow_current_version_base:
         EventType: SetValue
         TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion'
-    wow_current_version_keys:
+    selection_wow_current_version_keys:
         TargetObject|contains:
             - '\ShellServiceObjectDelayLoad'
             - '\Run\'
@@ -85,7 +85,14 @@ detection:
             - '\windowsdesktop-runtime-'  # C:\WINDOWS\Temp\{751E2E78-46DC-4376-9205-99219CDC34AE}\.be\windowsdesktop-runtime-6.0.12-win-x86.exe
             - '\AspNetCoreSharedFrameworkBundle-'  # "C:\ProgramData\Package Cache\{b52191c1-a9c0-4b34-9a4e-930c2dd8a540}\AspNetCoreSharedFrameworkBundle-x86.exe" /burn.runonce
         Details|endswith: ' /burn.runonce'
-    condition: all of wow_current_version_* and not 1 of filter_*
+    filter_uninstallers:
+        # This image path is linked with different uninstallers when running as admin unfortunately
+        Image|startswith: 'C:\Windows\Installer\MSI'
+        TargetObject|contains: '\Explorer\Browser Helper Objects'
+    filter_msiexec:
+        Image: 'C:\WINDOWS\system32\msiexec.exe'
+        TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\'
+    condition: all of selection_wow_current_version_* and not 1 of filter_*
 fields:
     - SecurityID
     - ObjectName