diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml
index 896c310da..52115f0fc 100644
--- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml
+++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml
@@ -14,9 +14,11 @@ references:
     - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques
     - https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
     - https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis
+    - https://github.com/rtecCyberSec/BitlockMove
+    - https://cert.gov.ua/article/6284080
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2024-07-16
-modified: 2025-05-06
+modified: 2025-07-01
 tags:
     - attack.persistence
     - attack.t1546.015
@@ -43,6 +45,9 @@ detection:
             - '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\'
             - '\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\'
             - '\{30D49246-D217-465F-B00B-AC9DDD652EB7}\'
+            - '\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\'
+            - '\{2227A280-3AEA-1069-A2DE-08002B30309D}\'
+            - '\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\'
     selection_susp_location_1:
         Details|contains:
             # Note: Add more suspicious paths and locations