diff --git a/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml b/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml
index 4f8aeb5ed..ca1832261 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml
@@ -15,7 +15,7 @@ logsource:
     product: windows
 detection:
     selection_lolbin:
-        CommandLine|contains:
+        Image|endswith:
             - '\wscript.exe'
             - '\cscript.exe'
     selection_exetensions: