diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml
index e3b75ba3a..9f6d8db77 100644
--- a/rules/windows/process_creation/win_webshell_detection.yml
+++ b/rules/windows/process_creation/win_webshell_detection.yml
@@ -25,13 +25,19 @@ detection:
             - '\apache'
             - '\tomcat'
     selection2:
-        CommandLine|contains:
+        - CommandLine|contains:
             - 'whoami'
-            - 'net user '
-            - 'ping -n '
             - 'systeminfo'
             - '&cd&echo'
-            - 'cd /d'  # https://www.computerhope.com/cdhlp.htm
+        - CommandLine|contains|all:
+            - 'net'
+            - 'user'
+        - CommandLine|contains|all:
+            - 'cd' # https://www.computerhope.com/cdhlp.htm
+            - '/d'
+        - CommandLine|contains|all:
+            - 'ping'
+            - '-n'
     condition: selection and selection2
 fields:
     - CommandLine