diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml
index 1135169c9..8f5c95a03 100644
--- a/rules/windows/process_creation/win_webshell_spawn.yml
+++ b/rules/windows/process_creation/win_webshell_spawn.yml
@@ -10,18 +10,18 @@ logsource:
     product: windows
 detection:
     selection:
-        ParentImage:
-            - '*\w3wp.exe'
-            - '*\httpd.exe'
-            - '*\nginx.exe'
-            - '*\php-cgi.exe'
-            - '*\tomcat.exe'
-        Image:
-            - '*\cmd.exe'
-            - '*\sh.exe'
-            - '*\bash.exe'
-            - '*\powershell.exe'
-            - '*\bitsadmin.exe'
+        ParentImage|endswith:
+            - '\w3wp.exe'
+            - '\httpd.exe'
+            - '\nginx.exe'
+            - '\php-cgi.exe'
+            - '\tomcat.exe'
+        Image|endswith:
+            - '\cmd.exe'
+            - '\sh.exe'
+            - '\bash.exe'
+            - '\powershell.exe'
+            - '\bitsadmin.exe'
     condition: selection
 fields:
     - CommandLine