diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml
index c9913e6b7..f81018dbe 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml
@@ -3,7 +3,7 @@ id: 70ad982f-67c8-40e0-a955-b920c2fa05cb
 status: experimental
 description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
 date: 2022/01/09
-modified: 2022/01/10
+modified: 2022/03/05
 author: frack113
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md
@@ -16,7 +16,7 @@ detection:
         ScriptBlockText|contains|all:
             - New-Object 
             - IO.FileStream
-            - '\\.\'
+            - '\\\\.\\'
     condition: selection
 falsepositives:
     - Legitimate PowerShell scripts
diff --git a/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml b/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml
index 57d611743..40979d4ff 100644
--- a/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml
+++ b/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml
@@ -7,7 +7,7 @@ references:
     - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
     - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
 date: 2021/07/27
-modified: 2021/08/30
+modified: 2022/03/05
 tags:
     - attack.execution
     - attack.t1059 
@@ -23,11 +23,11 @@ detection:
         ParentCommandLine|contains: 
             - '/C whoami'
             - 'cmd.exe /C echo'
-            - ' > \\.\pipe'
+            - ' > \\\\.\\pipe'
     selection3:
         CommandLine|contains: 
             - 'cmd.exe /c echo'
-            - '> \\.\pipe'
+            - '> \\\\.\\pipe'
             - '\whoami.exe'
         ParentImage|endswith: '\dllhost.exe'
     selection4:
diff --git a/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml b/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml
index 1f6d68412..61ff3daf2 100644
--- a/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml
+++ b/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml
@@ -7,7 +7,7 @@ references:
   - https://securelist.com/schroedingers-petya/78870/
   - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
 date: 2019/01/16
-modified: 2021/12/08
+modified: 2022/03/05
 logsource:
   category: process_creation
   product: windows
@@ -15,7 +15,7 @@ detection:
   select_pipe_com:
     CommandLine|contains|all:
       - '\AppData\Local\Temp\'
-      - '\\.\pipe\\'
+      - '\\\\.\\pipe\\'
   select_rundll32_dash1:
     Image|endswith: '\rundll32.exe'
     CommandLine|endswith: