diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_decrypt_pattern.yml
index 20031347e..7530ca39c 100644
--- a/sigma/builtin/process_creation/proc_creation_win_powershell_decrypt_pattern.yml
+++ b/sigma/builtin/process_creation/proc_creation_win_powershell_decrypt_pattern.yml
@@ -7,6 +7,7 @@ references:
     - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
 author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2023/06/30
+modified: 2023/12/05
 tags:
     - attack.execution
 logsource:
@@ -35,12 +36,18 @@ detection:
             - 'gc '
             - 'cat '
             - 'type '
+            - ReadAllBytes
     selection_cli_specific:
-        CommandLine|contains|all:
-            - ' ^| '
-            - \*.lnk
-            - -Recurse
-            - '-Skip '
+        -   CommandLine|contains|all:
+                - ' ^| '
+                - \*.lnk
+                - -Recurse
+                - '-Skip '
+        -   CommandLine|contains|all:
+                - ' -ExpandProperty '
+                - \*.lnk
+                - WriteAllBytes
+                - ' .length '
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Unlikely
diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_decrypt_pattern.yml
index 241912eb7..e31a53d4d 100644
--- a/sigma/sysmon/process_creation/proc_creation_win_powershell_decrypt_pattern.yml
+++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_decrypt_pattern.yml
@@ -7,6 +7,7 @@ references:
     - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
 author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2023/06/30
+modified: 2023/12/05
 tags:
     - attack.execution
     - sysmon
@@ -36,12 +37,18 @@ detection:
             - 'gc '
             - 'cat '
             - 'type '
+            - ReadAllBytes
     selection_cli_specific:
-        CommandLine|contains|all:
-            - ' ^| '
-            - \*.lnk
-            - -Recurse
-            - '-Skip '
+        -   CommandLine|contains|all:
+                - ' ^| '
+                - \*.lnk
+                - -Recurse
+                - '-Skip '
+        -   CommandLine|contains|all:
+                - ' -ExpandProperty '
+                - \*.lnk
+                - WriteAllBytes
+                - ' .length '
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Unlikely