diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml
index 7f4f5a22d..75fbf21e3 100644
--- a/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml
+++ b/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml
@@ -8,7 +8,7 @@ references:
     - https://tools.thehacker.recipes/mimikatz/modules
 author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
 date: 2021/12/20
-modified: 2023/01/19
+modified: 2023/12/14
 tags:
     - attack.credential_access
     - attack.defense_evasion
@@ -82,12 +82,16 @@ detection:
         ParentCommandLine|contains: \DismFoDInstall.cmd
         NewProcessName|endswith: \PING.EXE
     filter_config_mgr:
-        ParentProcessName|startswith: C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
+        ParentProcessName|contains: :\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
     filter_java:
         CommandLine|contains: ' -ma '
-        ParentProcessName|startswith: C:\Program Files (x86)\Java\
+        ParentProcessName|contains:
+            - :\Program Files (x86)\Java\
+            - :\Program Files\Java\
         ParentProcessName|endswith: \bin\javaws.exe
-        NewProcessName|startswith: C:\Program Files (x86)\Java\
+        NewProcessName|contains:
+            - :\Program Files (x86)\Java\
+            - :\Program Files\Java\
         NewProcessName|endswith: \bin\jp2launcher.exe
     condition: process_creation and (all of selection* and not 1 of filter_*)
 falsepositives:
diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml
index da969dfd8..7b085727c 100644
--- a/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml
+++ b/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml
@@ -8,7 +8,7 @@ references:
     - https://tools.thehacker.recipes/mimikatz/modules
 author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
 date: 2021/12/20
-modified: 2023/01/19
+modified: 2023/12/14
 tags:
     - attack.credential_access
     - attack.defense_evasion
@@ -83,11 +83,15 @@ detection:
         Image|endswith: \PING.EXE
         ParentCommandLine|contains: \DismFoDInstall.cmd
     filter_config_mgr:
-        ParentImage|startswith: C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
+        ParentImage|contains: :\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
     filter_java:
-        ParentImage|startswith: C:\Program Files (x86)\Java\
+        ParentImage|contains:
+            - :\Program Files (x86)\Java\
+            - :\Program Files\Java\
         ParentImage|endswith: \bin\javaws.exe
-        Image|startswith: C:\Program Files (x86)\Java\
+        Image|contains:
+            - :\Program Files (x86)\Java\
+            - :\Program Files\Java\
         Image|endswith: \bin\jp2launcher.exe
         CommandLine|contains: ' -ma '
     condition: process_creation and (all of selection* and not 1 of filter_*)