diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml
index 6343b0bbe..335896d91 100644
--- a/rules/windows/credential_access_kerberoasting_unusual_process.toml
+++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/02"
 maturity = "production"
-updated_date = "2022/05/09"
+updated_date = "2022/07/29"
 
 [rule]
 author = ["Elastic"]
@@ -88,7 +88,16 @@ type = "eql"
 query = '''
 network where event.type == "start" and network.direction : ("outgoing", "egress") and
  destination.port == 88 and source.port >= 49152 and
- process.executable != "C:\\Windows\\System32\\lsass.exe" and destination.address !="127.0.0.1" and destination.address !="::1" and
+ not process.executable :
+            ("?:\\Windows\\System32\\lsass.exe",
+             "System",
+             "\\device\\harddiskvolume?\\windows\\system32\\lsass.exe",
+             "?:\\Program Files\\rapid7\\nexpose\\nse\\.DLLCACHE\\nseserv.exe",
+             "?:\\Program Files (x86)\\GFI\\LanGuard 12 Agent\\lnsscomm.exe",
+             "?:\\Program Files (x86)\\SuperScan\\scanner.exe",
+             "?:\\Program Files (x86)\\Nmap\\nmap.exe",
+             "\\device\\harddiskvolume?\\program files (x86)\\nmap\\nmap.exe") and
+ destination.address !="127.0.0.1" and destination.address !="::1" and
  /* insert false positives here */
  not process.name in ("swi_fc.exe", "fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe", "MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe", "opera.exe", "firefox.exe")
 '''