diff --git a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml
index ff04ad0f7..d8c5ba7bb 100644
--- a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml
+++ b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml
@@ -10,7 +10,7 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection_img:
         Image|endswith:
             - '\net.exe'
             - '\net1.exe'
@@ -26,7 +26,7 @@ detection:
             - ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish
             - ' Administratör ' # Swedish
             - ' guest '
-    condition: selection
+    condition: all of selection_*
 falsepositives:
     - Some fasle positives could occure with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium
 level: high