diff --git a/0_custom_configuration/all_modules.txt b/0_custom_configuration/all_modules.txt
index d0b50367..52dae086 100644
Binary files a/0_custom_configuration/all_modules.txt and b/0_custom_configuration/all_modules.txt differ
diff --git a/sysmonconfig.xml b/sysmonconfig.xml
index 5d99e6b2..ec25b91b 100644
--- a/sysmonconfig.xml
+++ b/sysmonconfig.xml
@@ -782,6 +782,18 @@
         <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">5986</DestinationPort>
         <Image name="technique_id=T1569.002,technique_name=Service Execution" condition="image">psexec.exe</Image>
         <Image name="technique_id=T1569.002,technique_name=Service Execution" condition="image">psexesvc.exe</Image>
+        <Rule groupRelation="and">
+          <SourcePort name="technique_id=T1557,technique_name=Adversary-in-the-Middle" condition="is any">445;389;8492;636;3268;3269</SourcePort>
+          <Image condition="is not">C:\Windows\System32\lsass.exe</Image>
+        </Rule>
+        <Rule groupRelation="and">
+          <SourcePort name="technique_id=T1557,technique_name=Adversary-in-the-Middle" condition="is any">445;389;8492;636;3268;3269</SourcePort>
+          <Image condition="is not">c:\Windows\System32\dsamain.exe</Image>
+        </Rule>
+        <Rule groupRelation="and">
+          <SourcePort name="technique_id=T1557,technique_name=Adversary-in-the-Middle" condition="is any">445;389;8492;636;3268;3269</SourcePort>
+          <ProcessId condition="is not">4</ProcessId>
+        </Rule>
         <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users</Image>
         <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\ProgramData</Image>
         <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Temp</Image>