diff --git a/rules/windows/process_creation/win_powershell_downgrade_attack.yml b/rules/windows/process_creation/win_powershell_downgrade_attack.yml
index 228f01b13..814dc49bd 100644
--- a/rules/windows/process_creation/win_powershell_downgrade_attack.yml
+++ b/rules/windows/process_creation/win_powershell_downgrade_attack.yml
@@ -36,5 +36,5 @@ detection:
     selection:
         EventID: 4688
         CommandLine|re: '.*-[Vv][Ee][Rr][Ss][Ii][Oo][Nn] 2'
-        Image|endswith: '\powershell.exe'
+        NewProcessName|endswith: '\powershell.exe'
     condition: selection