diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml
index 13ee8b635..87b6a254f 100644
--- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml
+++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml
@@ -13,7 +13,6 @@ logsource:
   product: windows
 detection:
   selection:
-    EventID: 1
     Image|endswith:
     - '\powershell.exe'
     ParentImage|endswith: