diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
index 29c368ade..4ee06986d 100644
--- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
+++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/11"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/07/30"
 
 [rule]
 author = ["Elastic"]
@@ -35,7 +35,22 @@ process where event.code == "10" and
  length(winlog.event_data.CallTrace) > 0 and
 
  /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */
- not winlog.event_data.CallTrace : ("?:\\WINDOWS\\SYSTEM32\\ntdll.dll*", "?:\\WINDOWS\\SysWOW64\\ntdll.dll*")
+ not winlog.event_data.CallTrace :
+            ("?:\\WINDOWS\\SYSTEM32\\ntdll.dll*",
+             "?:\\WINDOWS\\SysWOW64\\ntdll.dll*",
+             "?:\\Windows\\System32\\wow64cpu.dll*",
+             "?:\\WINDOWS\\System32\\wow64win.dll*",
+             "?:\\Windows\\System32\\win32u.dll*") and
+
+ not winlog.event_data.TargetImage :
+            ("?:\\Program Files (x86)\\Malwarebytes Anti-Exploit\\mbae-svc.exe",
+             "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe",
+             "?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*\\msedgewebview2.exe",
+             "?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\*\\AcroCEF.exe") and
+
+ not (process.executable : ("?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe",
+                            "?:\\Program Files (x86)\\World of Warcraft\\_classic_\\WowClassic.exe") and
+      not winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe")
 '''