diff --git a/rules/windows/process_creation/proc_creation_win_malware_rorschach_ransomware_activity.yml b/rules/windows/process_creation/proc_creation_win_malware_rorschach_ransomware_activity.yml
index f79a2323a..31e932640 100644
--- a/rules/windows/process_creation/proc_creation_win_malware_rorschach_ransomware_activity.yml
+++ b/rules/windows/process_creation/proc_creation_win_malware_rorschach_ransomware_activity.yml
@@ -20,7 +20,7 @@ detection:
             - '\bcdedit.exe'
             - '\net.exe'
             - '\netsh.exe'
-            - '\wevtuil.exe'
+            - '\wevtutil.exe'
             - '\vssadmin.exe'
         CommandLine|contains: '11111111'
     condition: selection