diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml
index 3d7988b68..ba269aca2 100644
--- a/rules/windows/powershell/powershell_shellcode_b64.yml
+++ b/rules/windows/powershell/powershell_shellcode_b64.yml
@@ -23,7 +23,7 @@ detection:
         EventID: 4104
         ScriptBlockText|contains: 'AAAAYInlM'
     selection2:
-        ScriptBlockText|contains|all:
+        ScriptBlockText|contains:
             - 'OiCAAAAYInlM'
             - 'OiJAAAAYInlM'
     condition: selection and selection2
diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml
index e5d69a30a..9a5f1afb3 100644
--- a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml
+++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml
@@ -28,9 +28,9 @@ detection:
             - 'cmd.exe /C * > *\\Temp\\* 2>&1'
         CommandLine|contains:
             # cme/helpers/powershell.py:139 (PowerShell execution with obfuscation)
-            - '*powershell.exe -exec bypass -noni -nop -w 1 -C "*'
+            - 'powershell.exe -exec bypass -noni -nop -w 1 -C "'
             # cme/helpers/powershell.py:149 (PowerShell execution without obfuscation)
-            - '*powershell.exe -noni -nop -w 1 -enc *'
+            - 'powershell.exe -noni -nop -w 1 -enc '
     condition: selection
 fields:
     - ComputerName