diff --git a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml
index 8dd350f87..4852c145f 100644
--- a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml
+++ b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml
@@ -3,7 +3,7 @@ id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
 description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.
 status: experimental
 date: 2020/05/02
-modified: 2021/12/04
+modified: 2021/12/05
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.collection
@@ -34,4 +34,4 @@ detection:
     condition: selection and not 1 of filter*
 falsepositives:
     - unknown
-level: medium
\ No newline at end of file
+level: low  # too many false positives
\ No newline at end of file
diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
index 058710221..460217f60 100755
--- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
+++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
@@ -11,7 +11,7 @@ tags:
     - attack.t1547.001
     - attack.t1060      # an old one
 date: 2019/10/25
-modified: 2021/11/26
+modified: 2021/12/05
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton
 logsource:
     category: registry_event
@@ -193,6 +193,7 @@ detection:
     filter:
         - Details: '(Empty)'
         - TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount'
+        - Image: 'C:\WINDOWS\System32\svchost.exe'
     condition: ( main_selection or
                session_manager_base and session_manager or
                current_version_base and current_version or