diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
index 958bb676a..32d6de754 100644
--- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
+++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
@@ -17,13 +17,15 @@ logsource:
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17)'
 detection:
-   selection_start:
+   selection_MSSE_start:
       PipeName|startswith: '\MSSE-' 
-   selection_end:
+   selection_MSSE_end:
       PipeName|endswith: '-server'
-   selection_others:
+   selection_postex:
+      PipeName|startswith: '\postex_'
+   selection_msagent:
       PipeName|startswith: '\msagent_'
-   condition: selection_start and selection_end
+   condition: selection_MSSE_start and selection_MSSE_end or selection_postex or selection_msagent 
 falsepositives:
    - Unknown
 level: critical