diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml
index b9fa47a79..9ef55c3e1 100644
--- a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml
+++ b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml
@@ -4,8 +4,9 @@ status: experimental
 description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
 references:
     - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali, Tim Shelton
 date: 2022/08/08
+modified: 2022/08/12
 logsource:
     category: process_creation
     product: windows
@@ -14,7 +15,7 @@ detection:
         - Image|endswith: 'reg.exe'
         - OriginalFileName: 'reg.exe'
     selection_delete:
-        CommandLine|contains:
+        CommandLine|contains|all:
             - ' delete '
             - '\SYSTEM\CurrentControlSet\Control\SafeBoot'
     condition: all of selection*