diff --git a/rules/windows/builtin/win_user_added_to_local_administrators.yml b/rules/windows/builtin/win_user_added_to_local_administrators.yml
index 59fa82a9..99bb4e2d 100644
--- a/rules/windows/builtin/win_user_added_to_local_administrators.yml
+++ b/rules/windows/builtin/win_user_added_to_local_administrators.yml
@@ -5,7 +5,7 @@ description: This rule triggers on user accounts that are added to the local Adm
 status: stable
 author: Florian Roth
 date: 2017/03/14
-modified: 2021/06/25
+modified: 2021/07/07
 tags:
     - attack.privilege_escalation
     - attack.t1078
@@ -18,9 +18,9 @@ detection:
     selection:
         EventID: 4732
     selection_group1:
-        GroupName|startswith: 'Administr'
+        TargetUserName|startswith: 'Administr'
     selection_group2:
-        GroupSid: 'S-1-5-32-544'
+        TargetSid: 'S-1-5-32-544'
     filter:
         SubjectUserName|endswith: '$'
     condition: selection and (1 of selection_group*) and not filter