diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml
index 979a09213..c38270c4f 100644
--- a/rules/windows/process_creation/win_susp_ntdsutil.yml
+++ b/rules/windows/process_creation/win_susp_ntdsutil.yml
@@ -15,7 +15,7 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine: '*\ntdsutil*'
+        CommandLine|contains: '\ntdsutil'
     condition: selection
 falsepositives:
     - NTDS maintenance