diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml
index 3996deda6cc..05427278224 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml
@@ -7,7 +7,7 @@ references:
     - https://tools.thehacker.recipes/mimikatz/modules
 author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
 date: 2021-12-20
-modified: 2024-07-22
+modified: 2024-11-11
 tags:
     - attack.credential-access
     - attack.defense-evasion
@@ -74,7 +74,10 @@ detection:
               - 'MiniDump'  # Process dumping method apart from procdump
               - 'net user '
     filter_main_ping:
-        CommandLine|contains: 'ping 127.0.0.1 -n'
+        CommandLine|contains|all:
+            - 'ping'
+            - '127.0.0.1'
+            - ' -n '
     filter_vs:
         Image|endswith: '\PING.EXE'
         ParentCommandLine|contains: '\DismFoDInstall.cmd'