diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml
index 222dda114..1332419c9 100644
--- a/rules/windows/process_creation/win_system_exe_anomaly.yml
+++ b/rules/windows/process_creation/win_system_exe_anomaly.yml
@@ -26,8 +26,8 @@ detection:
             - '*\conhost.exe'
     filter:
         Image:
-            - '*\System32\\*'
-            - '*\SysWow64\\*'
+            - 'C:\Windows\System32\\*'
+            - 'C:\Windows\SysWow64\\*'
     condition: selection and not filter
 falsepositives:
     - Exotic software