diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml
index 91cb6862a..f1f4d118b 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml
@@ -10,7 +10,7 @@ references:
     - https://twitter.com/bryon_/status/975835709587075072
 author: 'Agro (@agro_sev) oscd.community'
 date: 2020/10/10
-modified: 2022/02/25
+modified: 2022/12/09
 tags:
     - attack.execution
     - attack.t1059.001
@@ -21,14 +21,13 @@ logsource:
     product: windows
 detection:
     selection_1:
-        Image|endswith: '\sqlps.exe'
+        - Image|endswith: '\sqlps.exe'
+        - OriginalFileName: 'sqlps.exe'
     selection_2:
         ParentImage|endswith: '\sqlps.exe'
-    selection_3:
-        OriginalFileName: '\sqlps.exe'
     filter:
         ParentImage|endswith: '\sqlagent.exe'
-    condition: 1 of selection_* and not filter
+    condition: (selection_1 and not filter) or selection_2
 falsepositives:
     - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
 level: medium