diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
index 02285b7d1..8455bfee9 100755
--- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
+++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
@@ -23,8 +23,8 @@ logsource:
 detection:
     selection1:
         CallTrace|contains|all:
-              - 'C:\Windows\SYSTEM32\ntdll.dll+'
-              - '|C:\Windows\System32\KERNELBASE.dll+'
+              - 'C:\WINDOWS\SYSTEM32\ntdll.dll+'
+              - '|C:\WINDOWS\System32\KERNELBASE.dll+'
               - '|UNKNOWN('
               - ')'
     selection2: