diff --git a/rules/windows/sysmon/sysmon_creation_system_file.yml b/rules/windows/sysmon/sysmon_creation_system_file.yml
index f322669cc..9f8143c8a 100644
--- a/rules/windows/sysmon/sysmon_creation_system_file.yml
+++ b/rules/windows/sysmon/sysmon_creation_system_file.yml
@@ -15,7 +15,7 @@ logsource:
 detection:
     selection:
         EventID: 11
-        TargetFilename:
+        TargetFilename|endswith:
             - '*\svchost.exe'
             - '*\rundll32.exe'
             - '*\services.exe'