diff --git a/rules/windows/builtin/win_susp_run_locations.yml b/rules/windows/builtin/win_susp_run_locations.yml
index 3c702a7b1..9705c80ab 100644
--- a/rules/windows/builtin/win_susp_run_locations.yml
+++ b/rules/windows/builtin/win_susp_run_locations.yml
@@ -15,7 +15,7 @@ detection:
             - "*:\\RECYCLER\\*"
             - "*:\\SystemVolumeInformation\\*"
             - "%windir%\\Tasks\\*"
-            - "%systemroot%\debug\\*"
+            - "%systemroot%\\debug\\*"
     condition: selection
 falsepositives: 
     - False positives depend on scripts and administrative tools used in the monitored environment