diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
index 62e43fa84..84e0f7b09 100644
--- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
+++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
@@ -52,6 +52,7 @@ detection:
             - 'C:\Windows\System32\dllhost.exe'
             - 'C:\Windows\System32\DeviceCensus.exe'
             - 'C:\Windows\System32\MpSigStub.exe'
+            - 'C:\Windows\UUS\amd64\MoUsoCoreWorker.exe'
     filter_system:
         Image: 'System'
     filter_Keybase: