diff --git a/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml
index a68cb0621..02c86f9a6 100644
--- a/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml
+++ b/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml
@@ -4,9 +4,9 @@ status: experimental
 description: Detects a Windows program executable started in a suspicious folder
 references:
     - https://twitter.com/GelosSnake/status/934900723426439170
-author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community
+author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali
 date: 2017/11/27
-modified: 2021/05/23
+modified: 2022/07/03
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -20,6 +20,7 @@ detection:
             - '\rundll32.exe'
             - '\services.exe'
             - '\powershell.exe'
+            - '\powershell_ise.exe'
             - '\regsvr32.exe'
             - '\spoolsv.exe'
             - '\lsass.exe'
@@ -38,6 +39,31 @@ detection:
             - '\dllhost.exe'
             - '\audiodg.exe'
             - '\wlanext.exe'
+            - '\dashost.exe'
+            - '\schtasks.exe'
+            - '\cscript.exe'
+            - '\wscript.exe'
+            - '\wsl.exe'
+            - '\bitsadmin.exe'
+            - '\atbroker.exe'
+            - '\bcdedit.exe'
+            - '\certutil.exe'
+            - '\certreq.exe'
+            - '\cmstp.exe'
+            - '\conhost.exe'
+            - '\consent.exe'
+            - '\defrag.exe'
+            - '\dism.exe'
+            - '\dllhst3g.exe'
+            - '\eventvwr.exe'
+            - '\msiexec.exe'
+            - '\runonce.exe'
+            - '\winver.exe'
+            - '\logonui.exe'
+            - '\userinit.exe'
+            - '\dwm.exe'
+            - '\LsaIso.exe'
+            - '\ntoskrnl.exe'
     filter:
         - Image|startswith:
             - 'C:\Windows\System32\'