diff --git a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml
index bb444d03d..0fc1790c3 100644
--- a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml
+++ b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml
@@ -7,7 +7,7 @@ references:
     - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
 author: frack113
 date: 2023/01/07
-modified: 2023/01/09
+modified: 2023/01/11
 tags:
     - attack.defense_evasion
     - attack.t1562.002
@@ -20,12 +20,20 @@ detection:
         CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+'
         CallTrace|contains: '|UNKNOWN('
         CallTrace|endswith: ')'
-    filter_msbuild:
-        SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
-        SourceImage|endswith:
-            - '\MSBuild\Current\Bin\amd64\MSBuild.exe'
-            - '\MSBuild\Current\Bin\MSBuild.exe'
-        TargetImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
+    filter_generic:
+        SourceImage|startswith:
+            - 'C:\Program Files\'
+            - 'C:\Program Files (x86)\'
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+        TargetImage|startswith:
+            - 'C:\Program Files\'
+            - 'C:\Program Files (x86)\'
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+    filter_thor:
+        SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\'
+        SourceImage|endswith: '\thor\thor64.exe'
     condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml
index dfb0314f7..e07ac11d2 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/Wh04m1001/SysmonEoP
 author: frack113, Tim Shelton (update fp)
 date: 2022/12/05
-modified: 2023/01/10
+modified: 2023/01/11
 tags:
     - attack.privilege_escalation
     - attack.defense_evasion
@@ -53,6 +53,10 @@ detection:
         ParentImage|startswith: 'C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\'
         ParentImage|endswith: '\CitrixReceiverUpdater.exe'
         Image|endswith: '\cmd.exe'
+    filter_thor:
+        ParentImage|endswith: '\python.exe'
+        CommandLine: 'C:\WINDOWS\system32\cmd.exe /c "ver"'
+        CurrentDirectory|contains: 'C:\WINDOWS\Temp\asgard2-agent\'
     condition: all of selection_* and not 1 of filter_*
 falsepositives:
     - Unknown