diff --git a/rules/windows/process_creation/win_susp_cli_escape.yml b/rules/windows/process_creation/win_susp_cli_escape.yml
index 46f573fcd..feeb333c8 100644
--- a/rules/windows/process_creation/win_susp_cli_escape.yml
+++ b/rules/windows/process_creation/win_susp_cli_escape.yml
@@ -18,7 +18,7 @@ logsource:
 detection:
     selection:
         CommandLine:
-            - <TAB>
+            # - <TAB>   # no TAB modifier in sigmac yet, so this matches <TAB> (or TAB in elasticsearch backends without DSL queries)
             - ^h^t^t^p
             - h"t"t"p
     condition: selection