diff --git a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml
index e1f150b77..9e75dea5b 100644
--- a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml
+++ b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml
@@ -17,17 +17,17 @@ logsource:
 detection:
     selection:
         EventID: 20
-        Destination:
-            - '*new-object system.net.webclient).downloadstring(*'
-            - '*new-object system.net.webclient).downloadfile(*'
-            - '*new-object net.webclient).downloadstring(*'
-            - '*new-object net.webclient).downloadfile(*'
-            - '* iex(*'
-            - '*WScript.shell*'
-            - '* -nop *'
-            - '* -noprofile *'
-            - '* -decode *'
-            - '* -enc *'
+        Destination|contains:
+            - 'new-object system.net.webclient).downloadstring('
+            - 'new-object system.net.webclient).downloadfile('
+            - 'new-object net.webclient).downloadstring('
+            - 'new-object net.webclient).downloadfile('
+            - ' iex('
+            - 'WScript.shell'
+            - ' -nop '
+            - ' -noprofile '
+            - ' -decode '
+            - ' -enc '
     condition: selection
 fields:
     - CommandLine