diff --git a/rules/credential_access_credential_access_from_backups_via_rundll32.yml b/rules/credential_access_credential_access_from_backups_via_rundll32.yml
index d35e98b59..d8a9301aa 100644
--- a/rules/credential_access_credential_access_from_backups_via_rundll32.yml
+++ b/rules/credential_access_credential_access_from_backups_via_rundll32.yml
@@ -17,7 +17,7 @@ labels:
 condition: >
   spawn_process
     and
-  (ps.child.name ~= 'rundll32.exe' or pe.ps.child.file.name ~= 'rundll32.exe')
+  (ps.child.name ~= 'rundll32.exe' or ps.child.pe.file.name ~= 'rundll32.exe')
     and
   (ps.child.args iin ('keymgr.dll') and ps.child.args iin ('KRShowKeyMgr'))