diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml
index 53ca1e6a4c4..94e7993f482 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/Neo23x0/sigma/issues/1009  #(Task 26)
 author: Jonathan Cheong, oscd.community
 date: 2020/10/13
-modified: 2022/11/27
+modified: 2022/12/02
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -21,7 +21,7 @@ logsource:
     definition: PowerShell Module Logging must be enabled
 detection:
     selection_4103:
-        Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
+        Payload|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
     condition: selection_4103
 falsepositives:
     - Unknown
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml
index c2fcb76a1bd..a121dcb1a18 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/Neo23x0/sigma/issues/1009  #(Task 25)
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
-modified: 2022/11/29
+modified: 2022/12/02
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -21,7 +21,7 @@ logsource:
     definition: PowerShell Module Logging must be enabled
 detection:
     selection_4103:
-        Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
+        Payload|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"'
     condition: selection_4103
 falsepositives:
     - Unknown
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml
index cd0de12279b..15597a1fd6e 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/Neo23x0/sigma/issues/1009  #(Task 24)
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
-modified: 2022/11/29
+modified: 2022/12/02
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -21,7 +21,7 @@ logsource:
     definition: PowerShell Module Logging must be enabled
 detection:
     selection_4103:
-        Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+        Payload|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
     condition: selection_4103
 falsepositives:
     - Unknown
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml
index 834abcae109..fe9edfa527e 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/13
-modified: 2022/11/29
+modified: 2022/12/02
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -21,7 +21,7 @@ logsource:
     definition: PowerShell Module Logging must be enabled
 detection:
     selection_4103:
-        Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
+        Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
     condition: selection_4103
 falsepositives:
     - Unknown
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml
index fdc6069f916..91814308c20 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/Neo23x0/sigma/issues/1009  #(Task 26)
 author: Jonathan Cheong, oscd.community
 date: 2020/10/13
-modified: 2022/11/27
+modified: 2022/12/02
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -18,7 +18,7 @@ logsource:
     definition: Script block logging must be enabled
 detection:
     selection_4104:
-        ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
+        ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
     condition: selection_4104
 falsepositives:
     - Unknown
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml
index ac368db0c1d..95f709d0bb6 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/Neo23x0/sigma/issues/1009  #(Task 24)
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
-modified: 2022/11/29
+modified: 2022/12/02
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -18,7 +18,7 @@ logsource:
     definition: Script block logging must be enabled
 detection:
     selection_4104:
-        ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+        ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
     condition: selection_4104
 falsepositives:
     - Unknown
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml
index 8b94e1e348a..0a2966fbf04 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/13
-modified: 2022/11/29
+modified: 2022/12/02
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -18,7 +18,7 @@ logsource:
     definition: Script block logging must be enabled
 detection:
     selection_4104:
-        ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
+        ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
     condition: selection_4104
 falsepositives:
     - Unknown