diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
index f683c2f77..90a8dc127 100644
--- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
+++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
@@ -6,7 +6,7 @@ author: Nasreddine Bencherchali
 references:
     - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
 date: 2022/07/17
-modified: 2022/08/10
+modified: 2022/09/03
 logsource:
     product: windows
     category: image_load
@@ -21,7 +21,8 @@ detection:
             - '\AppData\Local\Temp\'
             - 'C:\PerfLogs\'
     filter:
-        ImageLoaded|contains: '\Program Files'
+        - ImageLoaded|contains: '\Program Files'
+        - Image|endswith: '\msiexec.exe'
     condition: selection and not filter
 falsepositives:
     - Unknown