diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml
index 08daee8a1..4a0f4603b 100644
--- a/rules/windows/execution_shared_modules_local_sxs_dll.toml
+++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml
@@ -24,7 +24,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
 type = "eql"
 
 query = '''
-file where file.path : "C:\\*\\*.exe.local\\*.dll"
+file where file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll"
 '''