diff --git a/rules/windows/powershell/powershell_suspicious_profile_create.yml b/rules/windows/powershell/powershell_suspicious_profile_create.yml
index 5266c23e5..de6a3897b 100644
--- a/rules/windows/powershell/powershell_suspicious_profile_create.yml
+++ b/rules/windows/powershell/powershell_suspicious_profile_create.yml
@@ -1,20 +1,26 @@
-title: Powershell profile modify
+title: Powershell Profile.ps1 Modification
+id: b5b78988-486d-4a80-b991-930eff3ff8bf
 status: experimental
-description: Detects a change in profile.ps1 of Powershell profile
+description: Detects a change in profile.ps1 of the Powershell profile
 references:
     - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
 author: HieuTT35
 date: 2019/10/24
+modified: 2020/04/03
 logsource:
     product: windows
     service: sysmon
 detection:
     event:
-      EventID: 11
+        EventID: 11
     target1:
-      TargetFilename|re: '.*\\My Documents\\PowerShell\\(Microsoft\.)?.*(Profile|profile)\.ps1'
+        TargetFilename|contains|all: 
+            - '\My Documents\PowerShell\'
+            - '\profile.ps1'
     target2:
-      TargetFilename|re: 'C\:\\Windows\\System32\\WindowsPowerShell\\v1\.0\\(Microsoft\.)?.*(Profile|profile)\.ps1'
+        TargetFilename|contains|all: 
+            - 'C:\Windows\System32\WindowsPowerShell\v1.0\'
+            - '\profile.ps1'
     condition: event and (target1 or target2)
 falsepositives:
     - System administrator create Powershell profile manually