diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
index 85dfa1fd8b4..62d6ab820b2 100644
--- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
+++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
@@ -4,7 +4,7 @@ integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defende
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2024/10/15"
+updated_date = "2024/12/12"
 
 [transform]
 [[transform.osquery]]
@@ -114,12 +114,15 @@ query = '''
 file where host.os.type == "windows" and event.type != "deletion" and file.path != null and
   file.name : ("amsi.dll", "amsi") and
   not file.path : (
+    "?:\\$SysReset\\CloudImage\\Package_for_RollupFix*",
     "?:\\Windows\\system32\\amsi.dll",
     "?:\\Windows\\Syswow64\\amsi.dll",
     "?:\\$WINDOWS.~BT\\DUImageSandbox\\*",
     "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSXS\\*",
     "?:\\$WINDOWS.~BT\\NewOS\\Windows\\servicing\\LCU\\*",
     "?:\\$WINDOWS.~BT\\Work\\*\\*",
+    "?:\\$WINDOWS.~BT\\Store\\Offline\\File\\C$\\Windows\\SoftwareDistribution\\Download.bak\\*",
+    "?:\\Windows\\CbsTemp\\*\\f\\amsi.dll",
     "?:\\Windows\\SoftwareDistribution\\Download\\*",
     "?:\\Windows\\WinSxS\\amd64_microsoft-antimalware-scan-interface_*\\amsi.dll"
   ) and
@@ -129,7 +132,10 @@ file where host.os.type == "windows" and event.type != "deletion" and file.path
     file.path : (
       "\\Device\\HarddiskVolume??\\Windows\\system32\\amsi.dll",
       "\\Device\\HarddiskVolume??\\Windows\\syswow64\\amsi.dll",
-      "\\Device\\HarddiskVolume??\\Windows\\WinSxS\\*\\amsi.dll"
+      "\\Device\\HarddiskVolume??\\Windows\\WinSxS\\*\\amsi.dll",
+      "\\\\?\\Volume{*}\\Windows\\WinSxS\\*\\amsi.dll",
+      "\\\\?\\Volume{*}\\Windows\\system32\\amsi.dll",
+      "\\\\?\\Volume{*}\\Windows\\syswow64\\amsi.dll"
     )
   )
 '''
diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
index b8ee94c421c..5a8bf24a70d 100644
--- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
+++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/03"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/12/12"
 
 [transform]
 [[transform.osquery]]
@@ -148,6 +148,15 @@ sequence with maxspan=1m
       (
         process.executable : "?:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\sophos_autoupdate1.dir\\SophosUpdate.exe" and 
         process.code_signature.trusted == true and process.code_signature.subject_name : "Sophos Ltd"
+      )  or
+      /* Elastic processes */
+      (
+        process.executable : (
+          "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\previous\\elastic-endpoint.exe",
+          "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\elastic-agent.exe",
+          "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\agentbeat.exe"
+        ) and 
+        process.code_signature.trusted == true and process.code_signature.subject_name : "Elasticsearch, Inc."
       ) 
     )
   ] by host.id, process.executable