diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml
index 2b16ce492..f68c16bff 100644
--- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml
+++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml
@@ -20,8 +20,6 @@ detection:
         Provider_Name: 'Service Control Manager'
         EventID: 7045
         # ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
-        # Example 1: C:\wiNdOWs\SystEm32\cMD.EXe /c "sET XnK= Invoke-Expression (New-Object Net.WebClient).DownloadString && sET PZVh=ECho ${EXECutIoNcOnTExT}.inVokecommaNd.iNvoKeSCrIPt( ([eNvirOnMEnT]::GETenVIrOnmENtVARIABLe('XNk','pRoceSS'))) ^| poweRSHelL -NoE - && C:\wiNdOWs\SystEm32\cMD.EXe /c%PzVh%"
-        # Example 2: C:\winDowS\SysteM32\Cmd /C "set sHM=Invoke-Expression (New-Object Net.WebClient).DownloadString && SEt gBc=ECHO $eXECutionconTeXt.inVoKECOmmanD.InVoKESCripT( ([ENVirOnment]::geTenVIrONMEnTvaRIAble('shM','PRoCEss')) ) ^| C:\WiNDoWS\SYSwoW64\WindoWSpoWerSHelL\V1.0\pOwersheLl.EXe ^^^&( $PShOME[4]+$psHOMe[30]+'X') ( $InPUt) && C:\winDowS\SysteM32\Cmd /C %gbc%"
         ImagePath|contains|all:
             - 'set'
             - '&&'
diff --git a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_stdin.yml b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_stdin.yml
index f4f5f7bbb..cf9fbbfee 100644
--- a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_stdin.yml
+++ b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_stdin.yml
@@ -18,8 +18,6 @@ logsource:
 detection:
     selection:
         # CommandLine|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
-        # Example 1: C:\wiNdOWs\SystEm32\cMD.EXe /c "sET XnK= Invoke-Expression (New-Object Net.WebClient).DownloadString && sET PZVh=ECho ${EXECutIoNcOnTExT}.inVokecommaNd.iNvoKeSCrIPt( ([eNvirOnMEnT]::GETenVIrOnmENtVARIABLe('XNk','pRoceSS'))) ^| poweRSHelL -NoE - && C:\wiNdOWs\SystEm32\cMD.EXe /c%PzVh%"
-        # Example 2: C:\winDowS\SysteM32\Cmd /C "set sHM=Invoke-Expression (New-Object Net.WebClient).DownloadString && SEt gBc=ECHO $eXECutionconTeXt.inVoKECOmmanD.InVoKESCripT( ([ENVirOnment]::geTenVIrONMEnTvaRIAble('shM','PRoCEss')) ) ^| C:\WiNDoWS\SYSwoW64\WindoWSpoWerSHelL\V1.0\pOwersheLl.EXe ^^^&( $PShOME[4]+$psHOMe[30]+'X') ( $InPUt) && C:\winDowS\SysteM32\Cmd /C %gbc%"
         CommandLine|contains|all:
             - 'set'
             - '&&'