diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml
index fd0b008d3..f5c6bef24 100644
--- a/rules/windows/execution_command_shell_started_by_unusual_process.toml
+++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml
@@ -51,7 +51,8 @@ process where host.os.type == "windows" and event.type == "start" and
                          "WerFault.exe",
                          "WUDFHost.exe",
                          "unsecapp.exe",
-                         "wlanext.exe" )
+                         "wlanext.exe" ) and
+  not (process.parent.name : "dllhost.exe" and process.parent.args : "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}")
 '''