diff --git a/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml b/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml
index 639270573..0989036a8 100644
--- a/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml
+++ b/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml
@@ -1,10 +1,14 @@
 title: Computer Discovery And Export Via Get-ADComputer Cmdlet
 id: 435e10e4-992a-4281-96f3-38b11106adde
+related:
+    - id: db885529-903f-4c5d-9864-28fe199e6370
+      type: similar
 status: experimental
 description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
 references:
     - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
     - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
+    - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
 author: Nasreddine Bencherchali
 date: 2022/11/10
 modified: 2022/11/17
@@ -26,7 +30,6 @@ detection:
         CommandLine|contains|all:
             - 'Get-ADComputer '
             - ' -Filter \*'
-    selection_output:
         CommandLine|contains:
             - ' > '
             - ' | Select '
diff --git a/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml
index b6af16ff5..8ac47c9a4 100644
--- a/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml
+++ b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml
@@ -1,5 +1,8 @@
 title: User Discovery And Export Via Get-ADUser Cmdlet
-id: c2993223-6da8-4b1a-88ee-668b8bf315e9
+id: 1114e048-b69c-4f41-bc20-657245ae6e3f
+related:
+    - id: c2993223-6da8-4b1a-88ee-668b8bf315e9
+      type: similar
 status: experimental
 description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
 references:
@@ -26,7 +29,6 @@ detection:
         CommandLine|contains|all:
             - 'Get-ADUser '
             - ' -Filter \*'
-    selection_output:
         CommandLine|contains:
             - ' > '
             - ' | Select '