diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml
index 332229af2..e783d5182 100644
--- a/rules/windows/process_creation/win_susp_csc_folder.yml
+++ b/rules/windows/process_creation/win_susp_csc_folder.yml
@@ -15,7 +15,9 @@ logsource:
 detection:
     selection:
         Image: '*\csc.exe'
-        CommandLine: '*\AppData\*'
+        CommandLine: 
+            - '*\AppData\*'
+            - '*\Windows\Temp\*'
     condition: selection
 falsepositives:
     - Unkown