diff --git a/rules/windows/etw/file_access/file_access_win_browser_credential_stealing.yml b/rules/windows/etw/file_access/file_access_win_browser_credential_stealing.yml
index f0eeca908..b9fb94baa 100644
--- a/rules/windows/etw/file_access/file_access_win_browser_credential_stealing.yml
+++ b/rules/windows/etw/file_access/file_access_win_browser_credential_stealing.yml
@@ -1,11 +1,14 @@
-title: Browser Credential Stealing
+title: Browser Credential Store Access
 id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
 status: experimental
-description: Steals cookies and credentials from the user
+description: Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing
 references:
     - https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
 author: frack113
 date: 2022/04/09
+tags:
+    - attack.t1003
+    - attack.credential_access
 logsource:
     category: file_access
     product: windows
@@ -34,9 +37,6 @@ detection:
         TargetFilename|endswith: '\APPDATA\LOCAL\MICROSOFT\WINDOWS\WEBCACHE\WEBCACHEV01.DAT'
     condition: selection and not 1 of filter_*
 falsepositives:
-    - Very Probably
     - Antivirus, Anti-Spyware, Anti-Malware Software
+    - Backup software
 level: medium
-tags:
-    - attack.t1003
-    - attack.credential_access
diff --git a/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml b/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml
index 69e6cf857..f6e9e1c00 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml
@@ -4,6 +4,7 @@ status: experimental
 description: Detects programs that use base64 encoded values provided via command line, which is often an indicator of obfuscation but could also be used for legitimate purposes (e.g. if certain special characters would mess with the command line interface, enccrypted keys etc.)
 author: Florian Roth
 date: 2022/04/05
+modified: 2022/04/08
 references:
    - https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/d
 logsource:
@@ -13,7 +14,9 @@ detection:
    selection:
       - CommandLine|endswith: '=='
       - CommandLine|contains: '== -'
-   condition: selection
+   filter:
+      Image|endswith: '\VeeamAgent.exe'
+   condition: selection and not 1 of filter*
 falsepositives:
    - Legitimate software that uses base64 encoded values in its command line
 level: medium