diff --git a/packs/osx-attacks.conf b/packs/osx-attacks.conf
index 36a48494..d5c7a32c 100644
--- a/packs/osx-attacks.conf
+++ b/packs/osx-attacks.conf
@@ -202,7 +202,7 @@
       "value": "Artifact used by this malware"
     },
     "Keranger_2": {
-      "query": "select * from file where path like '/Users/%/Library/.kernel_%' or path like '/Users/%/Library/kernel_service';",
+      "query": "select * from file where path like '/Users/%/Library/.kernel_%' union select * from file where path like '/Users/%/Library/kernel_service';",
       "interval": "86400",
       "description": "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/",
       "value": "Artifact used by this malware"