diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml
index f54235fd2..1c34f9560 100644
--- a/rules/linux/command_and_control_linux_kworker_netcon.toml
+++ b/rules/linux/command_and_control_linux_kworker_netcon.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/12/12"
+updated_date = "2024/04/30"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ kernel's workqueue mechanism. They are responsible for executing work that has b
 space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. 
 Attackers may attempt to evade detection by masquerading as a kernel worker process.
 """
-from = "now-60m"
+from = "now-9m"
 index = ["logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License v2"
@@ -69,7 +69,7 @@ process.name:kworker* and not destination.ip:(
   "::1" or
   "FE80::/10" or
   "FF00::/8"
-)
+) and not destination.port:2049
 '''
 
 [[rule.threat]]
@@ -113,7 +113,7 @@ framework = "MITRE ATT&CK"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["host.id", "process.name", "destination.ip"]
+value = ["process.name", "destination.ip", "destination.port"]
 
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml
index fd120355b..e063595ee 100644
--- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml
+++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/30"
 
 [transform]
 [[transform.osquery]]
@@ -154,7 +154,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action
     // gost & pivotnacci - spawned without process.parent.name
     (process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or (
     // ssh
-    (process.name in ("ssh", "sshd") and (process.args in ("-R", "-L", "D", "-w") and process.args_count >= 4 and 
+    (process.name in ("ssh", "sshd") and (process.args in ("-R", "-L", "-D", "-w") and process.args_count >= 4 and 
      not process.args : "chmod")) or
     // sshuttle
     (process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or