diff --git a/rules/windows/process_creation/win_renamed_psexec.yml b/rules/windows/process_creation/win_renamed_psexec.yml
index 4a1ab2244..d599d6e0e 100644
--- a/rules/windows/process_creation/win_renamed_psexec.yml
+++ b/rules/windows/process_creation/win_renamed_psexec.yml
@@ -20,9 +20,9 @@ detection:
         Description: 'Execute processes remotely'
         Product: 'Sysinternals PsExec'
     filter:
-        Image:
-           - '*\PsExec.exe'
-           - '*\PsExec64.exe'
+        Image|endswith:
+           - '\PsExec.exe'
+           - '\PsExec64.exe'
     condition: selection and not filter
 falsepositives:
     - Software that illegaly integrates PsExec in a renamed form