diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml
index 14a5bd776..a7c584bc8 100644
--- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml
+++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml
@@ -14,6 +14,7 @@ name = "Remote SSH Login Enabled via systemsetup Command"
 references = [
     "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf",
     "https://ss64.com/osx/systemsetup.html",
+    "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac",
 ]
 risk_score = 47
 rule_id = "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc"
@@ -24,7 +25,7 @@ type = "query"
 query = '''
 event.category:process and event.type:(start or process_started) and
  process.name:systemsetup and
- process.args:("-f" and "-setremotelogin" and on)
+ process.args:("-setremotelogin" and on)
 '''