diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml
index 79e0debe3..269e18518 100644
--- a/rules/windows/process_creation/win_susp_iss_module_install.yml
+++ b/rules/windows/process_creation/win_susp_iss_module_install.yml
@@ -6,6 +6,7 @@ references:
     - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
 author: Florian Roth
 date: 2012/12/11
+modified: 2020/11/28
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -15,8 +16,11 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains:
-            - '\APPCMD.EXE install module /name:'
+        Image|endswith: '\appcmd.exe'
+        CommandLine|contains|all:
+            - 'install'
+            - 'module'
+            - '/name:'
     condition: selection
 falsepositives:
     - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules