diff --git a/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml b/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml
index 9b14e3686..3f89a2ea0 100644
--- a/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml
+++ b/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml
@@ -2,7 +2,7 @@ title: Shells Spawned by Web Servers
 id: 8202070f-edeb-4d31-a010-a26c72ac5600
 status: test
 description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
-author: Thomas Patzke, Florian Roth
+author: Thomas Patzke, Florian Roth, Zach Stanford @svch0st
 date: 2019/01/16
 modified: 2022/03/17
 tags:
@@ -34,9 +34,10 @@ detection:
       ParentImage|endswith: 
          - '\java.exe'
          - '\javaw.exe'
-      CommandLine|contains: 
+      ParentCommandLine|contains: 
          - 'catalina.jar'
          - 'CATALINA_HOME'
+         - 'catalina.home'
    anomaly_children:
       Image|endswith:
          - '\cmd.exe'