diff --git a/rules/windows/process_creation/win_apt_mustangpanda.yml b/rules/windows/process_creation/win_apt_mustangpanda.yml
index 28fa66924..252b8ab46 100644
--- a/rules/windows/process_creation/win_apt_mustangpanda.yml
+++ b/rules/windows/process_creation/win_apt_mustangpanda.yml
@@ -13,12 +13,13 @@ logsource:
     product: windows
 detection:
     selection1:
-        CommandLine: 
-            - '*Temp\wtask.exe /create*'
-            - '*%windir:~-3,1%%PUBLIC:~-9,1%*'
-            - '*/E:vbscript * C:\Users\\*.txt" /F'
-            - '*/tn "Security Script *'
-            - '*%windir:~-1,1%*'
+        CommandLine|endswith: 
+            - 'Temp\wtask.exe /create*'
+            - '%windir:~-3,1%%PUBLIC:~-9,1%*'
+            - '/tn "Security Script *'
+            - '%windir:~-1,1%*'
+        Commandline|startswith:
+            - '/E:vbscript * C:\Users\\*.txt" /F'
     selection2:
         Image:
             - '*Temp\winwsh.exe'