diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml
index 264ebea41..ec2017ce7 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml
@@ -21,7 +21,7 @@ logsource:
     definition: PowerShell Module Logging must be enabled
 detection:
     selection_4103:
-        Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+        Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"'
     condition: selection_4103
 falsepositives:
     - Unknown
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml
index 1b6852542..206d3174b 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml
@@ -18,7 +18,7 @@ logsource:
     definition: Script block logging must be enabled
 detection:
     selection_4104:
-        ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
+        ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$?\{?input\}?|noexit).+\"'
     condition: selection_4104
 falsepositives:
     - Unknown
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml
index 43e172219..fadd177b3 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml
@@ -18,7 +18,7 @@ logsource:
     definition: Script block logging must be enabled
 detection:
     selection_4104:
-        ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+        ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"'
     condition: selection_4104
 falsepositives:
     - Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml b/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml
index 4142110c3..4d6688ff0 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml
@@ -16,7 +16,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '\xwizard.exe'
-        CommandLine|re: '{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}}'
+        CommandLine|re: '\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}'
     condition: selection
 falsepositives:
     - Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml
index 64daeed83..50d2c0e20 100644
--- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml
+++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml
@@ -30,7 +30,7 @@ detection:
         Image|endswith:
             - '\powershell.exe'
             - '\pwsh.exe'
-        CommandLine|re: '.*{.*{.*{.*{.*{.*'
+        CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*'
     selection4:
         Image|endswith:
             - '\powershell.exe'