diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
index a9599d230..ecfdc511e 100644
--- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
+++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
@@ -25,8 +25,8 @@ type = "query"
 
 query = '''
 event.category:process and event.type:(start or process_started) and
-  process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and
-  not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or dismhost.exe or rundll32.exe)
+  process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and process.args:-cv* and
+  not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or dismhost.exe or rundll32.exe or powershell.exe)
 '''