diff --git a/rules/windows/builtin/win-susp-mshta-execution.yml b/rules/windows/builtin/win_susp_mshta_execution.yml
similarity index 94%
rename from rules/windows/builtin/win-susp-mshta-execution.yml
rename to rules/windows/builtin/win_susp_mshta_execution.yml
index d762ccb84..1c643abef 100644
--- a/rules/windows/builtin/win-susp-mshta-execution.yml
+++ b/rules/windows/builtin/win_susp_mshta_execution.yml
@@ -25,10 +25,9 @@ detection:
             - '*mshta vbscript:Execute("Execute*'
             - '*mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe*'
     selection2:
-        EventID: 4688
-        NewProcessName:
+        Image:
             - 'C:\Windows\system32\mshta.exe'
-        ProcessCommandLine: 
+        CommandLine: 
             - '*.jpg*'
             - '*.png*'
             - '*.lnk*'