diff --git a/rules/windows/malware/sysmon_malware_notpetya.yml b/rules/windows/malware/sysmon_malware_notpetya.yml
index c4872343..ab5aa0fa 100644
--- a/rules/windows/malware/sysmon_malware_notpetya.yml
+++ b/rules/windows/malware/sysmon_malware_notpetya.yml
@@ -1,7 +1,7 @@
 title: NotPetya Ransomware Activity
 status: experimental
 description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
-author: Florian Roth
+author: Florian Roth, Tom Ueltschi
 reference: 
     - https://securelist.com/schroedingers-petya/78870/
     - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
@@ -20,9 +20,13 @@ detection:
         EventID: 1
         Image: '*\wevtutil.exe'
         CommandLine: '* cl *'
+    rundll32_dash1:
+        EventID: 1
+        Image: '*\rundll32.exe'
+        CommandLine: '*.dat,#1'       
     perfc_keyword:
         - '*\perfc.dat*'
-    condition: fsutil_clean_journal or pipe_com or event_clean or perfc_keyword
+    condition: fsutil_clean_journal or pipe_com or event_clean or rundll32_dash1 or perfc_keyword
 falsepositives:
     - Admin activity
 level: critical