diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml
index 1a7f614fb..fecb43bfd 100644
--- a/rules/windows/process_creation/win_system_exe_anomaly.yml
+++ b/rules/windows/process_creation/win_system_exe_anomaly.yml
@@ -4,7 +4,7 @@ status: experimental
 description: Detects a Windows program executable started in a suspicious folder
 references:
     - https://twitter.com/GelosSnake/status/934900723426439170
-author: Florian Roth, Patrick Bareiss
+author: Florian Roth, Patrick Bareiss, oscd.community
 date: 2017/11/27
 tags:
     - attack.defense_evasion
@@ -38,15 +38,16 @@ detection:
             - '\audiodg.exe'
             - '\wlanext.exe'
     filter:
-        Image|startswith:
-            - 'C:\Windows\System32\\'
-            - 'C:\Windows\system32\\'
-            - 'C:\Windows\SysWow64\\'
-            - 'C:\Windows\SysWOW64\\'
+        - Image|startswith:
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\system32\'
+            - 'C:\Windows\SysWow64\'
+            - 'C:\Windows\SysWOW64\'
+            - 'C:\Windows\winsxs\'
+            - 'C:\Windows\WinSxS\'
+            - '\SystemRoot\System32\'
+        - Image:
             - 'C:\Windows\explorer.exe'
-            - 'C:\Windows\winsxs\\'
-            - 'C:\Windows\WinSxS\\'
-            - '\SystemRoot\System32\\'
     condition: selection and not filter
 fields:
     - ComputerName