diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml
index 0dfedb601..09a9937d0 100644
--- a/rules/windows/execution_command_shell_started_by_svchost.toml
+++ b/rules/windows/execution_command_shell_started_by_svchost.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/28"
 
 [rule]
 author = ["Elastic"]
@@ -19,9 +19,15 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
   process.parent.name : "svchost.exe" and process.name : "cmd.exe" and 
-  not (process.pe.original_file_name == "Cmd.Exe" and process.args : "?:\\Program Files\\Npcap\\CheckStatus.bat??")
+  not (process.pe.original_file_name : "cmd.exe" and process.args : (
+    "??:\\Program Files\\Npcap\\CheckStatus.bat?",
+    "?:\\Program Files\\Npcap\\CheckStatus.bat",
+    "\\system32\\cleanmgr.exe",
+    "?:\\Windows\\system32\\silcollector.cmd",
+    "\\system32\\AppHostRegistrationVerifier.exe",
+    "\\system32\\ServerManagerLauncher.exe"))
 '''