diff --git a/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml b/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml
index b21ea449c..4afdcd17f 100644
--- a/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml
+++ b/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml
@@ -19,7 +19,7 @@ detection:
         CommandLine|contains|all:
             - wevtutil
             - /lfn
-            - \.evtx
+            - .evtx
     filter_cmd:
         CommandLine|contains: \Windows\System32\winevt\Logs
     condition: selection_cmd and not filter_cmd