diff --git a/queries/windows/cmstp_signed_binary_proxy_execution.yml b/queries/windows/cmstp_signed_binary_proxy_execution.yml
index 1eed907..cd896d2 100644
--- a/queries/windows/cmstp_signed_binary_proxy_execution.yml
+++ b/queries/windows/cmstp_signed_binary_proxy_execution.yml
@@ -8,7 +8,7 @@ mitre:
    technique: T1218
    subtechnique: 003
 operating_system: windows
-query: SrcProcName = "cmstp.exe" AND SrcProcCmdLine RegExp "^.*\.(inf)"
+query: SrcProcName = "cmstp.exe" AND SrcProcCmdLine ContainsCIS "/ni /s"
 false_positives: 
 tags: