diff --git a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml
index 9e4d26755..ec8c67dc1 100644
--- a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml
+++ b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml
@@ -33,20 +33,20 @@ detection:
             - "cmstp.exe"
             - "msiexec.exe"
     filter:
-        Image:
-            - '*\powershell.exe'
-            - '*\powershell_ise.exe'
-            - '*\psexec.exe'
-            - '*\psexec64.exe'
-            - '*\cscript.exe'
-            - '*\wscript.exe'
-            - '*\mshta.exe'
-            - '*\regsvr32.exe'
-            - '*\wmic.exe'
-            - '*\certutil.exe'
-            - '*\rundll32.exe'
-            - '*\cmstp.exe'
-            - '*\msiexec.exe'
+        Image|endswith:
+            - '\powershell.exe'
+            - '\powershell_ise.exe'
+            - '\psexec.exe'
+            - '\psexec64.exe'
+            - '\cscript.exe'
+            - '\wscript.exe'
+            - '\mshta.exe'
+            - '\regsvr32.exe'
+            - '\wmic.exe'
+            - '\certutil.exe'
+            - '\rundll32.exe'
+            - '\cmstp.exe'
+            - '\msiexec.exe'
     condition: selection and not filter
 falsepositives:
     - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist