diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml
index 765f79a4b..8c630baa5 100644
--- a/rules/windows/process_creation/win_apt_greenbug_may20.yml
+++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml
@@ -6,6 +6,7 @@ references:
     - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
 author: Florian Roth
 date: 2020/05/20
+modified: 2020/05/21
 tags:
     - attack.g0049
 logsource:
@@ -17,9 +18,7 @@ detection:
             - 'bitsadmin /transfer'
             - 'CSIDL_APPDATA'
     selection2:
-        CommandLine|contains|all: 
-            - 'PowerShell.exe'
-            - '-ExecutionPolicy Bypass'
+        CommandLine|contains: 
             - 'CSIDL_SYSTEM_DRIVE'
     selection3: 
         CommandLine|contains: