diff --git a/rules/windows/process_creation/win_susp_run_locations.yml b/rules/windows/process_creation/win_susp_run_locations.yml
index e5e68a674..e325b6c86 100644
--- a/rules/windows/process_creation/win_susp_run_locations.yml
+++ b/rules/windows/process_creation/win_susp_run_locations.yml
@@ -13,11 +13,18 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine:
+        Image:
             - '*:\RECYCLER\\*'
             - '*:\SystemVolumeInformation\\*'
-            - '%windir%\Tasks\\*'
-            - '%systemroot%\debug\\*'
+            - 'C:\\Windows\\Tasks\\*'
+            - 'C:\\Windows\\debug\\*'
+            - 'C:\\Windows\\fonts\\*'
+            - 'C:\\Windows\\help\\*'
+            - 'C:\\Windows\\drivers\\*'
+            - 'C:\\Windows\\addins\\*'
+            - 'C:\\Windows\\cursors\\*'
+            - 'C:\\Windows\\system32\tasks\\*'
+            
     condition: selection
 falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment