diff --git a/rules/windows/process_creation/win_susp_wmi_execution.yml b/rules/windows/process_creation/win_susp_wmi_execution.yml
index 6c53498dc..165e41fd2 100644
--- a/rules/windows/process_creation/win_susp_wmi_execution.yml
+++ b/rules/windows/process_creation/win_susp_wmi_execution.yml
@@ -17,7 +17,6 @@ detection:
         Image|endswith: '\wmic.exe'
     selection2:
         CommandLine|contains|all:
-            - '/NODE:'
             - 'process'
             - 'call'
             - 'create '