diff --git a/deprecated/windows/powershell_suspicious_invocation_specific.yml b/deprecated/windows/powershell_suspicious_invocation_specific.yml
index 4e410a901..aaff39aca 100644
--- a/deprecated/windows/powershell_suspicious_invocation_specific.yml
+++ b/deprecated/windows/powershell_suspicious_invocation_specific.yml
@@ -7,55 +7,61 @@ tags:
     - attack.t1059.001
 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
 date: 2017/03/05
-modified: 2022/04/11
+modified: 2023/05/04
 logsource:
     product: windows
     service: powershell
     definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
 detection:
-    convert_b64:
-        - '-nop'
-        - ' -w '
-        - 'hidden'
-        - ' -c '
-        - '[Convert]::FromBase64String'
-    iex_selection:
-        - ' -w '
-        - 'hidden'
-        - '-noni'
-        - '-nop'
-        - ' -c '
-        - 'iex'
-        - 'New-Object'
-    enc_selection:
-        - ' -w '
-        - 'hidden'
-        - '-ep'
-        - 'bypass'
-        - '-Enc'
-    reg_selection:
-        - 'powershell'
-        - 'reg'
-        - 'add'
-        - 'HKCU\software\microsoft\windows\currentversion\run'
-    webclient_selection:
-        - 'bypass'
-        - '-noprofile'
-        - '-windowstyle'
-        - 'hidden'
-        - 'new-object'
-        - 'system.net.webclient'
-        - '.download'
-    iex_webclient:
-        - 'iex'
-        - 'New-Object'
-        - 'Net.WebClient'
-        - '.Download'
+    selection_convert_b64:
+        '|all':
+            - '-nop'
+            - ' -w '
+            - 'hidden'
+            - ' -c '
+            - '[Convert]::FromBase64String'
+    selection_iex:
+        '|all':
+            - ' -w '
+            - 'hidden'
+            - '-noni'
+            - '-nop'
+            - ' -c '
+            - 'iex'
+            - 'New-Object'
+    selection_enc:
+        '|all':
+            - ' -w '
+            - 'hidden'
+            - '-ep'
+            - 'bypass'
+            - '-Enc'
+    selection_reg:
+        '|all':
+            - 'powershell'
+            - 'reg'
+            - 'add'
+            - 'HKCU\software\microsoft\windows\currentversion\run'
+    selection_webclient:
+         '|all':
+            - 'bypass'
+            - '-noprofile'
+            - '-windowstyle'
+            - 'hidden'
+            - 'new-object'
+            - 'system.net.webclient'
+            - '.download'
+    selection_iex_webclient:
+        '|all':
+            - 'iex'
+            - 'New-Object'
+            - 'Net.WebClient'
+            - '.Download'
     filter_chocolatey:
         - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
         - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
         - 'Write-ChocolateyWarning'
-    condition: (all of convert_b64 or all of iex_selection or all of enc_selection or all of reg_selection or all of webclient_selection or all of iex_webclient) and not 1 of filter_*
+    condition: 1 of selection_* and not 1 of filter_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/linux/auditd/lnx_auditd_binary_padding.yml b/rules/linux/auditd/lnx_auditd_binary_padding.yml
index a13c63e96..968099af1 100644
--- a/rules/linux/auditd/lnx_auditd_binary_padding.yml
+++ b/rules/linux/auditd/lnx_auditd_binary_padding.yml
@@ -6,9 +6,9 @@ description: |
     This rule detect using dd and truncate to add a junk data to file.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
-author: 'Igor Fits, oscd.community'
+author: Igor Fits, oscd.community
 date: 2020/10/13
-modified: 2023/01/06
+modified: 2023/05/03
 tags:
     - attack.defense_evasion
     - attack.t1027.001
@@ -19,14 +19,16 @@ detection:
     selection_execve:
         type: 'EXECVE'
     keywords_truncate:
-        - 'truncate'
-        - '-s'
+        '|all':
+            - 'truncate'
+            - '-s'
     keywords_dd:
-        - 'dd'
-        - 'if='
+        '|all':
+            - 'dd'
+            - 'if='
     keywords_filter:
         - 'of='
-    condition: selection_execve and (all of keywords_truncate or (all of keywords_dd and not keywords_filter))
+    condition: selection_execve and (keywords_truncate or (keywords_dd and not keywords_filter))
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml
index db6bb212a..67ac87b8d 100644
--- a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml
+++ b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
 author: 'Igor Fits, oscd.community'
 date: 2020/10/15
-modified: 2023/01/06
+modified: 2023/04/30
 tags:
     - attack.credential_access
     - attack.t1552.001
@@ -17,9 +17,10 @@ detection:
     selection:
         type: 'EXECVE'
     keywords:
-        - 'grep'
-        - 'password'
-    condition: selection and all of keywords
+        '|all':
+            - 'grep'
+            - 'password'
+    condition: selection and keywords
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml
index 17877777c..4d3789169 100644
--- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml
+++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml
@@ -6,7 +6,7 @@ references:
     - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
 author: Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)
 date: 2021/08/09
-modified: 2023/02/28
+modified: 2023/04/30
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -15,16 +15,18 @@ logsource:
     product: windows
 detection:
     export_command:
-        - 'New-MailboxExportRequest'
-        - ' -Mailbox '
+        '|all':
+            - 'New-MailboxExportRequest'
+            - ' -Mailbox '
     export_params:
         - '-FilePath "\\\\' # We care about any share location.
         - '.aspx'
     role_assignment:
-        - 'New-ManagementRoleAssignment'
-        - ' -Role "Mailbox Import Export"'
-        - ' -User '
-    condition: (all of export_command and export_params) or all of role_assignment
+        '|all':
+            - 'New-ManagementRoleAssignment'
+            - ' -Role "Mailbox Import Export"'
+            - ' -User '
+    condition: (export_command and export_params) or role_assignment
 falsepositives:
     - Unlikely
 level: critical
diff --git a/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yml b/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yml
index 76d470125..84b793271 100644
--- a/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yml
+++ b/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yml
@@ -4,7 +4,7 @@ status: test
 description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
 author: Florian Roth (Nextron Systems)
 date: 2018/01/27
-modified: 2022/04/14
+modified: 2023/04/30
 tags:
     - attack.credential_access
     - attack.t1003.002
@@ -17,9 +17,10 @@ detection:
         Provider_Name: Microsoft-Windows-Kernel-General
         EventID: 16
     keywords:
-        - '\AppData\Local\Temp\SAM-'
-        - '.dmp'
-    condition: selection and all of keywords
+        '|all':
+            - '\AppData\Local\Temp\SAM-'
+            - '.dmp'
+    condition: selection and keywords
 falsepositives:
     - Unknown
 level: high