diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml
index 6604463a2..8b6b8d3d2 100644
--- a/rules/windows/process_creation/win_malware_notpetya.yml
+++ b/rules/windows/process_creation/win_malware_notpetya.yml
@@ -24,12 +24,12 @@ logsource:
     product: windows
 detection:
     pipe_com:
-        CommandLine: '*\AppData\Local\Temp\\* \\.\pipe\\*'
+        CommandLine|contains: '\AppData\Local\Temp\\* \\.\pipe\\'
     rundll32_dash1:
-        Image: '*\rundll32.exe'
-        CommandLine: '*.dat,#1'
-    perfc_keyword:
-        - '*\perfc.dat*'
+        Image|endswith: '\rundll32.exe'
+        CommandLine|endswith: '.dat,#1'
+    perfc_keyword|contains:
+        - '\perfc.dat'
     condition: 1 of them
 fields:
     - CommandLine