diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-35250/privilege_escalation_via_cve_2024_35250.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-35250/privilege_escalation_via_cve_2024_35250.yml
index 303fe2e3201..8ea7867b5c6 100644
--- a/rules-emerging-threats/2024/Exploits/CVE-2024-35250/privilege_escalation_via_cve_2024_35250.yml
+++ b/rules-emerging-threats/2024/Exploits/CVE-2024-35250/privilege_escalation_via_cve_2024_35250.yml
@@ -1,38 +1,38 @@
-title: Privilege Escalation via CVE-2024-35250
-id: 17ce9373e-2163-4a2c-90ba-f91e9ef7a8c1
+title: CVE-2024-35250 Exploitation 
+id: 17ce9373-2163-4a2c-90ba-f91e9ef7a8c1
 status: experimental
-description: Detects when cmd.exe with system privileges is executed after a process loads 'ksproxy.ax' and 'ksuser.dll', indicating potential exploitation of CVE-2024-35250.
+description: |
+    Detects suspicious loading of ksproxy.ax, which may indicate an attempt to exploit CVE-2024-35250.
 references:
     - https://thehackernews.com/2024/12/cisa-and-fbi-raise-alerts-on-exploited.html
     - https://github.com/varwara/CVE-2024-35250
     - https://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/
     - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
-author: '@eyezuhk Isaac Fernandes '
-date: 2024-12-19
+author: '@eyezuhk Isaac Fernandes'
+date: 2024/12/19
+modified: 2025/01/09
 tags:
+    - attack.privilege_escalation
     - attack.t1068
-    - attack.exploitation_for_privilege_escalation
     - cve.2024.35250
 logsource:
+    category: image_load
     product: windows
-    service: sysmon
-    category: process
-    definition: 'Sysmon event logs capturing process image loads and registry modifications'
-    eventid:
-      - 7 # Image Loaded
-      - 13 # Registry event
 detection:
-    selection_imgload:
-        EventID: 7
-        ImageLoaded|endswith:
-          - "ksproxy.ax"
-          - "ksuser.dll"
-        User: not "NT AUTHORITY\\SYSTEM"
-    selection_registry:
-        EventID: 13
-        TargetObject|contains: "HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-18\\Device\\HarddiskVolume*\\Windows\\System32\\cmd.exe"
-        User: "NT AUTHORITY\\SYSTEM"
-    condition: selection_imgload and selection_registry
+    selection:
+         ImageLoaded|endswith:
+            - '\ksproxy.ax'
+    filter_system_paths:
+        Image|startswith:
+            - 'C:\Program Files'
+            - 'C:\Windows\System32'
+            - 'C:\Windows\SysWOW64'
+    filter_legitimate_apps:
+        Image|endswith:
+            - '\AppData\Local\Microsoft\Teams\current\Teams.exe'
+    condition: selection and not 1 of filter_*
 falsepositives:
-    - Legitimate system processes that load ksproxy.ax and ksuser.dll may trigger this rule.
+    - Legitimate applications that use Windows Stream Interface APIs
+    - Media applications that use DirectShow filters
+    - AppData\Roaming\Zoom\bin\Zoom.exe,AppData\Local\Mozilla Firefox\firefox.exe,AppData\Local\Google\Chrome\Application\chrome.exe,AppData\Local\Programs\Opera\opera.exe,Discord.exe,obs64.exe
 level: high
\ No newline at end of file