diff --git a/rules/windows/sysmon/sysmon_wmi_module_load.yml b/rules/windows/sysmon/sysmon_wmi_module_load.yml
index 5b3eca687..8c660f19e 100644
--- a/rules/windows/sysmon/sysmon_wmi_module_load.yml
+++ b/rules/windows/sysmon/sysmon_wmi_module_load.yml
@@ -32,6 +32,9 @@ detection:
             - '\WmiAPsrv.exe'
             - '\svchost.exe'
             - '\DeviceCensus.exe'
+            - '\CompatTelRunner.exe'
+            - '\sdiagnhost.exe'
+            - '\SIHClient.exe'
     condition: selection and not filter
 fields:
     - ComputerName