diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml
index 30295b0a0..a3899bf31 100644
--- a/rules/windows/process_creation/win_system_exe_anomaly.yml
+++ b/rules/windows/process_creation/win_system_exe_anomaly.yml
@@ -33,6 +33,7 @@ detection:
         Image:
             - 'C:\Windows\System32\\*'
             - 'C:\Windows\SysWow64\\*'
+            - 'C:\Windows\explorer.exe'
     condition: selection and not filter
 falsepositives:
     - Exotic software