diff --git a/rules/windows/file_event/file_event_bloodhound_collection.yml b/rules/windows/file_event/file_event_bloodhound_collection.yml
index 5ec7fd6b1..9c0684d33 100644
--- a/rules/windows/file_event/file_event_bloodhound_collection.yml
+++ b/rules/windows/file_event/file_event_bloodhound_collection.yml
@@ -22,17 +22,17 @@ logsource:
 detection:
     selection1:
         TargetFilename|endswith: 
-            - '\_BloodHound.zip'
-            - '\_computers.json'
-            - '\_containers.json'
-            - '\_domains.json'
-            - '\_gpos.json'
-            - '\_groups.json'
-            - '\_ous.json'
-            - '\_users.json'
+            - '_BloodHound.zip'
+            - '_computers.json'
+            - '_containers.json'
+            - '_domains.json'
+            - '_gpos.json'
+            - '_groups.json'
+            - '_ous.json'
+            - '_users.json'
     selection2:
         TargetFilename|contains|all:
-            - '\BloodHound'
+            - 'BloodHound'
             - '.zip'
     condition: 1 of selection*
 falsepositives: