diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml
index aa415217e..b11a25f94 100644
--- a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml
@@ -16,9 +16,9 @@ falsepositives:
     - Unknown
 level: high
 detection:
-    selection_1:
+    selection:
         - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
-    condition: selection and selection_1
+    condition: selection
 ---
 logsource:
     product: windows
@@ -36,4 +36,4 @@ logsource:
      service: security
  detection:
      selection:
-         EventID: 4697
\ No newline at end of file
+         EventID: 4697
diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml
index ec7ce717c..565d62e2c 100644
--- a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml
@@ -16,9 +16,9 @@ falsepositives:
     - Unknown
 level: high
 detection:
-    selection_1:
+    selection:
         - ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
-    condition: selection and selection_1
+    condition: selection
 ---
 logsource:
     product: windows
diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
index 960858a80..3468eaa55 100644
--- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@@ -14,7 +14,7 @@ tags:
     - attack.t1134.001
     - attack.t1134.002
 detection:
-    selection_1:
+    selection:
         # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
         - ServiceFileName|contains|all:
             - 'cmd'
@@ -32,7 +32,7 @@ detection:
             - 'rundll32'
             - '.dll,a'
             - '/p:'
-    condition: selection and selection_1
+    condition: selection
 fields:
     - ComputerName
     - SubjectDomainName