diff --git a/rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml
similarity index 84%
rename from rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml
rename to rules-unsupported/win_access_fake_files_with_stored_credentials.yml
index ab2533ba..c8f95ed7 100644
--- a/rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml
+++ b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml
@@ -17,8 +17,8 @@ detection:
         EventID: 4663
         AccessList|contains: '%%4416'
         ObjectName|endswith:
-            - '\{641ECF7F-6AC4-4A63-BF85-DFDE140E9F89}\Machine\Preferences\Groups\Groups.xml'
-            - '\Panther\Unattend.xml'
+            - '\%POLICY_ID%\Machine\Preferences\Groups\Groups.xml'
+            - '\%FOLDER_NAME%\Unattend.xml'
     condition: selection
 fields:
     - EventID