diff --git a/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml b/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml
index 59e17c16d..dbad9aca2 100644
--- a/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml
+++ b/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml
@@ -18,11 +18,12 @@ detection:
         - Product|endswith: 'AccessChk'
         - Description|contains: 'Reports effective permissions'
         - Image|endswith: '\accesschk.exe'
-    selection_cli: # These are the most common flags used with this tool. You could add other combinations if needed
-        - 'uwcqv '
-        - 'kwsu '
-        - 'qwsu '
-        - 'uwdqs '
+    selection_cli:
+        CommandLine|contains: # These are the most common flags used with this tool. You could add other combinations if needed
+            - 'uwcqv '
+            - 'kwsu '
+            - 'qwsu '
+            - 'uwdqs '
     condition: all of selection*
 fields:
     - IntegrityLevel
diff --git a/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml b/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml
index f80c90aa7..031e2dbe8 100644
--- a/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml
+++ b/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml
@@ -18,7 +18,11 @@ detection:
         CommandLine|contains|all:
             - ' service '
             - ' get '
-            - ' name,displayname,pathname,startmode'
+        CommandLine|contains:
+            - name
+            - displayname
+            - pathname
+            - startmode
     condition: all of selection*
 falsepositives:
     - Unknown