diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml
index 42acef2ad..bbfbe5a2c 100644
--- a/rules/windows/powershell/powershell_suspicious_keywords.yml
+++ b/rules/windows/powershell/powershell_suspicious_keywords.yml
@@ -14,7 +14,8 @@ logsource:
     definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
 detection:
     keywords:
-        - System.Reflection.Assembly.Load
+        Message:
+            - "*[System.Reflection.Assembly]::Load*"
     condition: keywords
 falsepositives:
     - Penetration tests