diff --git a/rules/windows/process_creation/win_susp_copy_system32.yml b/rules/windows/process_creation/win_susp_copy_system32.yml
index 48de314d0..5a3535453 100644
--- a/rules/windows/process_creation/win_susp_copy_system32.yml
+++ b/rules/windows/process_creation/win_susp_copy_system32.yml
@@ -16,8 +16,10 @@ tags:
 detection:
     selection:
         CommandLine|contains: 
-            - ' /c copy *\System32\'
-            - 'xcopy*\System32\'
+            - ' /c copy'
+            - 'xcopy'
+        CommandLine|contains|all:
+            - '\System32\'
     condition: selection
 fields:
     - CommandLine