diff --git a/rules/windows/process_creation/win_pc_susp_powershell_encode.yml b/rules/windows/process_creation/win_pc_susp_powershell_encode.yml
index 271bc05da..af3a5ccd6 100644
--- a/rules/windows/process_creation/win_pc_susp_powershell_encode.yml
+++ b/rules/windows/process_creation/win_pc_susp_powershell_encode.yml
@@ -12,7 +12,7 @@ logsource:
 detection:
     selection:
         Image|endswith: \powershell.exe
-        CommandLine|contains:
+        CommandLine|contains|all:
             - '-e '
             - '==' # not all base64 have the ==
     condition: selection