diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
index 45c4fd64a..97121b181 100644
--- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
+++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/05/26"
+updated_date = "2021/11/07"
 
 [rule]
 author = ["Elastic"]
@@ -24,10 +24,10 @@ type = "eql"
 
 query = '''
 sequence by process.entity_id
-  [process where (process.name : "expand.exe" or process.name : "extrac.exe" or
+  [process where (process.name : "expand.exe" or process.name : "extrac32.exe" or
                  process.name : "ieexec.exe" or process.name : "makecab.exe") and
                  event.type == "start"]
-  [network where (process.name : "expand.exe" or process.name : "extrac.exe" or
+  [network where (process.name : "expand.exe" or process.name : "extrac32.exe" or
                  process.name : "ieexec.exe" or process.name : "makecab.exe") and
     not cidrmatch(destination.ip,
       "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",