diff --git a/rules/windows/sysmon/sysmon_certutil_decode.yml b/rules/windows/sysmon/sysmon_certutil_decode.yml
index 04d46518d..626b09a90 100644
--- a/rules/windows/sysmon/sysmon_certutil_decode.yml
+++ b/rules/windows/sysmon/sysmon_certutil_decode.yml
@@ -1,6 +1,6 @@
 title: Certutil Decode in AppData
 status: experimental
-description: Detetcs a Microsoft certutil execution with the 'decode' sub command on files in the AppData folder, which is sometimes used to decode malicious code with the built-in certutil utility
+description: Detetcs a Microsoft certutil execution with the 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
 author: Florian Roth
 reference: https://twitter.com/JohnLaTwC/status/835149808817991680
 logsource:
@@ -9,8 +9,7 @@ logsource:
 detection:
     selection:
         EventID: 1
-        Image: '*\certutil.exe'
-        CommandLine: '* -decode *\AppData\*'
+        Image: '*\certutil.exe -decode '
     condition: selection
 falsepositives:
     - unknown