diff --git a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml
index c68ff242a..2ecee013f 100644
--- a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml
+++ b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml
@@ -4,7 +4,7 @@ status: test
 description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.
 author: Sami Ruohonen, Harish Segar (improvement), Tim Shelton
 date: 2018/09/05
-modified: 2022/01/10
+modified: 2022/11/18
 tags:
     - attack.defense_evasion
     - attack.t1059.001
@@ -26,7 +26,8 @@ detection:
             - '-join`'
             - 'char'
     false_positives:
-        ParentImage: C:\Program Files\Amazon\SSM\ssm-document-worker.exe
+        ParentImage: 'C:\Program Files\Amazon\SSM\ssm-document-worker.exe'
+        CommandLine|contains: 'function Convert-GuidToCompressedGuid'
     condition: selection and filter and not false_positives
 falsepositives:
     - Unknown