diff --git a/rules/windows/process_creation/win_susp_powershell_empire_lanuch.yml b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml
similarity index 82%
rename from rules/windows/process_creation/win_susp_powershell_empire_lanuch.yml
rename to rules/windows/process_creation/win_susp_powershell_empire_launch.yml
index 7584f7217..fb9a17e53 100644
--- a/rules/windows/process_creation/win_susp_powershell_empire_lanuch.yml
+++ b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml
@@ -5,6 +5,7 @@ references:
     - https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165
     - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191
     - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178
+    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
 author: Florian Roth
 date: 2019/04/20
 tags:
@@ -18,5 +19,6 @@ detection:
         CommandLine:
             - '* -NoP -sta -NonI -W Hidden -Enc *'
             - '* -noP -sta -w 1 -enc *'
+            - '* -NoP -NonI -W Hidden -enc *'
     condition: selection
 level: critical
diff --git a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml
new file mode 100644
index 000000000..68c674479
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml
@@ -0,0 +1,28 @@
+title: Empire PowerShell UAC Bypass
+status: experimental
+description: Detects some Empire PowerShell UAC bypass methods
+references:
+    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
+    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64
+author: Ecco
+date: 2019/08/30
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine:
+            - '* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*'
+            - '* -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1088
+    - car.2019-04-001
+falsepositives:
+    - unknown
+level: critical
diff --git a/rules/windows/process_creation/win_susp_whoami.yml b/rules/windows/process_creation/win_susp_whoami.yml
index b1a4f1dd3..c2e3a40c3 100644
--- a/rules/windows/process_creation/win_susp_whoami.yml
+++ b/rules/windows/process_creation/win_susp_whoami.yml
@@ -15,8 +15,10 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine: whoami
-    condition: selection
+        Image: '*\whoami.exe'
+    selection2:
+        OriginalFileName: 'whoami.exe'
+    condition: selection or selection2
 falsepositives:
     - Admin activity
     - Scripts and administrative tools used in the monitored environment