diff --git a/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml
index 442b67b4a..2cb0b5bbe 100644
--- a/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml
+++ b/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml
@@ -4,7 +4,7 @@ status: test
 description: Detects possible bypass EDR and SIEM via abnormal user account name.
 author: Ilyas Ochkov, oscd.community
 date: 2019/10/25
-modified: 2022/10/09
+modified: 2022/11/22
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -12,16 +12,18 @@ logsource:
     product: windows
     service: security
 detection:
-    selection:
-        EventID:
-            - 4720 # create user
-            - 4781 # rename user
+    selection1:
+        EventID: 4720 # create user
         SamAccountName|contains: '$'
-    condition: selection
+    selection2:
+        EventID: 4781 # rename user
+        NewTargetUserName|contains: '$'
+    condition: 1 of selection*
 fields:
     - EventID
     - SamAccountName
     - SubjectUserName
+    - NewTargetUserName
 falsepositives:
     - Unknown
 level: high