diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
index a2a4ad534..a384047e8 100644
--- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
+++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
@@ -40,6 +40,7 @@ detection:
             - '* -e* IAB*'
             - '* -e* UwB*'
             - '* -e* cwB*'
+            - '*.exe -ENCOD *'
     falsepositive1:
         CommandLine: '* -ExecutionPolicy remotesigned *'
     condition: selection and not falsepositive1