diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml
index 03dbdea6..20858f85 100755
--- a/rules/windows/process_creation/win_apt_zxshell.yml
+++ b/rules/windows/process_creation/win_apt_zxshell.yml
@@ -17,7 +17,7 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine:
+        CommandLine|contains:
             - 'rundll32.exe *,zxFunction*'
             - 'rundll32.exe *,RemoteDiskXXXXX'
     condition: selection