diff --git a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml
index 6782e2408..d3b756573 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml
@@ -9,7 +9,7 @@ references:
     - https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html
 author: Roberto Rodriguez @Cyb3rWard0g
 date: 2019/08/11
-modified: 2022/10/05
+modified: 2023/04/12
 tags:
     - attack.execution
     - attack.t1059.001
@@ -22,7 +22,9 @@ detection:
         HostApplication|contains: '*'
     filter:
         # If you extracted the fields from this event. Use the filter list described in 64e8e417-c19a-475a-8d19-98ea705394cc to filter FPs
-        - HostApplication|startswith: 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe'
+        - HostApplication|startswith:
+            - 'powershell'
+            - 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe'
         - ContextInfo|contains: 'Citrix\ConfigSync\ConfigSync.ps1'
     condition: selection and not filter
 falsepositives: