diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml
index 3bfe6d913..507434ce2 100644
--- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml
+++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/07"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/27"
 
 [rule]
 author = ["Elastic"]
@@ -49,7 +49,7 @@ library where dll.name :
   "windowsperformancerecordercontrol.dll",
   "diagtrack_win.dll"
   ) and 
-not (dll.code_signature.subject_name : "Microsoft Windows" and dll.code_signature.status : "trusted")
+not (dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation") and dll.code_signature.status : "trusted")
 '''