diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml
index cdea35a2d..c9a0df30c 100644
--- a/rules/windows/defense_evasion_untrusted_driver_loaded.toml
+++ b/rules/windows/defense_evasion_untrusted_driver_loaded.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/01/27"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/09/04"
 
 [transform]
 [[transform.osquery]]
@@ -112,7 +112,7 @@ type = "eql"
 
 query = '''
 driver where host.os.type == "windows" and process.pid == 4 and
-  dll.code_signature.trusted != true and 
+  (dll.code_signature.trusted == false or dll.code_signature.exists == false) and
   not dll.code_signature.status : ("errorExpired", "errorRevoked", "errorCode_endpoint:*")
 '''