diff --git a/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml
index 08c909af..7c336fd0 100644
--- a/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml
+++ b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml
@@ -17,10 +17,13 @@ logsource:
     product: windows     
 detection:
     selection:
-        Image:
+        Image|endswith:
             - '\dism.exe'
-        ImageLoaded:
+        ImageLoaded|endswith:
             - '\dismcore.dll'
+    filter:
+        ImageLoaded:
+            - 'C:\Windows\System32\Dism\dismcore.dll'
     condition: selection
 falsepositives:
     - Pentests
diff --git a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml
index 6ecb4f6f..3370443a 100644
--- a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml
+++ b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml
@@ -16,7 +16,7 @@ logsource:
     product: windows        
 detection:
     selection:
-        CallTrace: '*editionupgrademanagerobj.dll*'
+        CallTrace|contains: '*editionupgrademanagerobj.dll*'
     condition: selection
 fields:
     - ComputerName
diff --git a/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml b/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml
index 8ac1fdd5..d20032bd 100644
--- a/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml
+++ b/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml
@@ -5,7 +5,6 @@ description: Unfixed method for UAC bypass from windows 10. WSReset.exe file ass
 references:
     - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly
     - https://lolbas-project.github.io/lolbas/Binaries/Wsreset
-    
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation