diff --git a/rules/windows/credential_access_web_config_file_access.toml b/rules/windows/credential_access_web_config_file_access.toml
index aa8987054..e8bd3d77a 100644
--- a/rules/windows/credential_access_web_config_file_access.toml
+++ b/rules/windows/credential_access_web_config_file_access.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/07/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/08/04"
+updated_date = "2026/01/19"
 
 [rule]
 author = ["Elastic"]
@@ -52,9 +52,9 @@ Web.config files are crucial in Windows environments, storing sensitive data lik
 references = [
     "https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/",
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "5841b80f-a1f8-4c00-a966-d2cc4a7a82e4"
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
@@ -68,7 +68,12 @@ type = "new_terms"
 
 query = '''
 event.category:file and host.os.type:windows and event.action:open and
-  file.name:"web.config" and file.path : *VirtualDirectories*
+  file.name:"web.config" and file.path : *VirtualDirectories* and
+  not process.executable: (
+        "C:\Program Files\Microsoft Security Client\MsMpEng.exe" or
+        "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" or
+        "C:\Windows\System32\MRT.exe"
+  )
 '''
 
 
diff --git a/rules/windows/persistence_web_shell_aspx_write.toml b/rules/windows/persistence_web_shell_aspx_write.toml
index 8ca2f2632..087b5183a 100644
--- a/rules/windows/persistence_web_shell_aspx_write.toml
+++ b/rules/windows/persistence_web_shell_aspx_write.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/07/24"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/18"
+updated_date = "2026/01/19"
 
 [rule]
 author = ["Elastic"]
@@ -63,9 +63,9 @@ references = [
     "https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/",
     "https://www.rapid7.com/blog/post/2024/10/30/investigating-a-sharepoint-compromise-ir-tales-from-the-field/",
 ]
-risk_score = 21
+risk_score = 47
 rule_id = "32144184-7bfa-4541-9c3f-b65f16d24df9"
-severity = "low"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
@@ -86,7 +86,10 @@ query = '''
 file where host.os.type == "windows" and event.type != "deletion" and
   file.extension : "aspx" and
   file.path : "?:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*" and
-  not process.executable: "?:\\Windows\\System32\\msiexec.exe"
+  not process.executable: (
+        "?:\\Windows\\System32\\msiexec.exe",
+        "?:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\16\\BIN\\psconfigui.exe"
+  )
 '''
 
 [[rule.threat]]