diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml
index e3d1980c8..cd59fa71b 100644
--- a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml
+++ b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml
@@ -5,9 +5,9 @@ description: WinPEAS is a script that search for possible paths to escalate priv
 references:
     - https://github.com/carlospolop/PEASS-ng
     - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
-author: Georg Lauenstein
+author: Georg Lauenstein (sure[secure])
 date: 2022/09/19
-modified: 2023/02/14
+modified: 2023/03/23
 tags:
     - attack.privilege_escalation
     - attack.t1082
@@ -17,25 +17,31 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection_basic:
-        Image|endswith:
+    selection_img:
+        - OriginalFileName: 'winPEAS.exe'
+        - Image|endswith:
             - '\winPEASany.exe'
             - '\winPEASany_ofs.exe'
             - '\winPEASx64.exe'
             - '\winPEASx64_ofs.exe'
             - '\winPEASx86.exe'
             - '\winPEASx86_ofs.exe'
-    selection_pe:
-        OriginalFileName: 'winPEAS.exe'
-    selection_option:
-        - CommandLine|endswith:
-            - 'serviceinfo'    # Search services information
-            - 'applicationsinfo' # Search installed applications information
-            - 'windowscreds'  # Search windows credentials
-            - 'browserinfo '  # Search browser information
-            - 'fileanalysis'  # Search specific files that can contains credentials and for regexes inside files
-        - CommandLine|contains: '.exe browserinfo '  # Search browser information
-    condition: 1 of selection*
+    selection_cli_option:
+        CommandLine|contains:
+            - ' applicationsinfo' # Search installed applications information
+            - ' browserinfo' # Search browser information
+            - ' eventsinfo' # Display interesting events information
+            - ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files
+            - ' filesinfo' # Search generic files that can contains credentials
+            - ' processinfo' # Search processes information
+            - ' servicesinfo' # Search services information
+            - ' windowscreds' # Search windows credentials
+    selection_cli_dl:
+        CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/'
+    selection_cli_specific:
+           - ParentCommandLine|endswith: ' -linpeas'
+           - CommandLine|endswith: ' -linpeas'
+    condition: 1 of selection_*
 falsepositives:
-    - Other programs that use the same command line flags
+    - Unlikely
 level: high