diff --git a/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml b/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml
index 7cbc58067..0eb36bf78 100644
--- a/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml
@@ -14,7 +14,9 @@ logsource:
 detection:
     selection:
         ParentImage|endswith: '\bash'
-        CommandLine|contains: 'id -Gn `'
+        CommandLine|contains:
+            - 'id -Gn `'
+            - "id -Gn '"
     condition: selection
 falsepositives:
     - Unlikely