diff --git a/yara/gen_github_net_redteam_tools_names.yar b/yara/gen_github_net_redteam_tools_names.yar
index 5907faf1..760c0972 100644
--- a/yara/gen_github_net_redteam_tools_names.yar
+++ b/yara/gen_github_net_redteam_tools_names.yar
@@ -248,6 +248,7 @@ rule HKTL_NET_NAME_SharpBuster {
         (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
 }
 
+/* removed, too many FP
 rule HKTL_NET_NAME_AmsiBypass {
     meta:
         description = "Detects .NET red/black-team tools via name"
@@ -267,6 +268,7 @@ rule HKTL_NET_NAME_AmsiBypass {
         (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of ($s*)
         and not 1 of ($fp*)
 }
+*/ 
 
 rule HKTL_NET_NAME_Recon_AD {
     meta:
diff --git a/yara/gen_imphash_detection.yar b/yara/gen_imphash_detection.yar
index 94daa8dc..b3db875a 100644
--- a/yara/gen_imphash_detection.yar
+++ b/yara/gen_imphash_detection.yar
@@ -300,7 +300,7 @@ rule SUSP_Imphash_Mar23_3 {
         license = "Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License"
         author = "Arnim Rupp (https://github.com/ruppde)"
         date = "2023-03-23"
-        modified = "2025-08-15"
+        modified = "2026-03-09"
         reference = "Internal Research"
         score = 45
         hash = "b5296cf0eb22fba6e2f68d0c9de9ef7845f330f7c611a0d60007aa87e270c62a"
@@ -320,10 +320,10 @@ rule SUSP_Imphash_Mar23_3 {
             //pe.imphash() == "87bed5a7cba00c7e1f4015f1bdae2183" or // UPX imphash
             //pe.imphash() == "09d0478591d4f788cb3e5ea416c25237" or // PECompact imphash
             // pe.imphash() == "6ed4f5f04d62b18d96b26d6db7c18840" or // too many fp by now
+            // pe.imphash() == "0b5552dccd9d0a834cea55c0c8fc05be"
+            // pe.imphash() == "fc6683d30d9f25244a50fd5357825e79" or
             pe.imphash() == "afcdf79be1557326c854b6e20cb900a7" or
-            pe.imphash() == "fc6683d30d9f25244a50fd5357825e79" or
-            pe.imphash() == "2c5f2513605e48f2d8ea5440a870cb9e" or
-            pe.imphash() == "0b5552dccd9d0a834cea55c0c8fc05be"
+            pe.imphash() == "2c5f2513605e48f2d8ea5440a870cb9e"
         )
         and pe.number_of_signatures == 0
 }
diff --git a/yara/gen_webshells.yar b/yara/gen_webshells.yar
index 9c2ad211..da3c99a2 100644
--- a/yara/gen_webshells.yar
+++ b/yara/gen_webshells.yar
@@ -961,9 +961,9 @@ rule WEBSHELL_PHP_Double_Eval_Tiny
         license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
         author = "Arnim Rupp (https://github.com/ruppde)"
         reference = "Internal Research"
-        score = 75
+        score = 70
         date = "2021-01-11"
-        modified = "2023-07-05"
+        modified = "2026-02-23"
         hash = "f66fb918751acc7b88a17272a044b5242797976c73a6e54ac6b04b02f61e9761"
         hash = "6b2f0a3bd80019dea536ddbf92df36ab897dd295840cb15bb7b159d0ee2106ff"
         hash = "aabfd179aaf716929c8b820eefa3c1f613f8dcac"
@@ -977,6 +977,7 @@ rule WEBSHELL_PHP_Double_Eval_Tiny
         $fp1 = "clone" fullword wide ascii
         $fp2 = "* @assert" ascii
         $fp3 = "*@assert" ascii
+        $fp4 = "--EXPECT--" ascii
 
         //strings from private rule capa_php_old_safe
         $php_short = "<?" wide ascii