diff --git a/rules/windows/file_event/sysmon_non_priv_program_files_move.yml b/rules/windows/file_event/sysmon_non_priv_program_files_move.yml
index 51af9b500..b7440b4b6 100644
--- a/rules/windows/file_event/sysmon_non_priv_program_files_move.yml
+++ b/rules/windows/file_event/sysmon_non_priv_program_files_move.yml
@@ -21,10 +21,11 @@ detection:
         - TargetFilename|contains:
             - '\Program Files\'
             - '\Program Files (x86)\'
-        - TargetFilename|startswith: '\Windows\'
+    windows:
+        TargetFilename|startswith: '\Windows\'
     temp:
         TargetFilename|contains: 'temp'
-    condition: integrity and (program_files or temp)
+    condition: integrity and (program_files or windows and not temp)
 falsepositives:
     - Unknown
 level: medium