diff --git a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml
index 974b20c8e..acfadcb11 100644
--- a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml
+++ b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml
@@ -7,7 +7,7 @@ tags:
     - attack.t1059.001
 author: Florian Roth (rule), Jonhnathan Ribeiro
 date: 2017/03/05
-modified: 2022/02/11
+modified: 2022/02/16
 logsource:
     product: windows
     service: powershell
@@ -53,6 +53,7 @@ detection:
         - '.Download'
     filter_chocolatey:
         - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
+        - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
     condition: (all of convert_b64 or all of iex_selection or all of enc_selection or all of reg_selection or all of webclient_selection or all of iex_webclient) and not 1 of filter_*
 falsepositives:
     - Penetration tests
diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml
index 23e923351..4aa90b4d9 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml
@@ -10,7 +10,7 @@ tags:
     - attack.t1059.001
 author: Florian Roth (rule), Jonhnathan Ribeiro
 date: 2017/03/05
-modified: 2022/02/11
+modified: 2022/02/16
 logsource:
     product: windows
     category: ps_script
@@ -61,7 +61,9 @@ detection:
             - 'Net.WebClient'
             - '.Download'
     filter_chocolatey:
-        ScriptBlockText|contains: "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
+        ScriptBlockText|contains:
+            - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
+            - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
     condition: 1 of select* and not 1 of filter*
 falsepositives:
     - Penetration tests