diff --git a/queries/windows/rundll32_possible_cobalt_strike.yml b/queries/windows/rundll32_possible_cobalt_strike.yml
index 430746f..dcfbca9 100644
--- a/queries/windows/rundll32_possible_cobalt_strike.yml
+++ b/queries/windows/rundll32_possible_cobalt_strike.yml
@@ -7,7 +7,7 @@ mitre:
    tactic: Defense Evasion
    technique: T1218
    subtechnique: 011
-operating_system: 
+operating_system: windows
 query: ( SrcProcName In AnyCase  ( "rundll32.exe" ) AND SrcProcCmdLine IS EMPTY ) OR ( SrcProcName In AnyCase  ( "rundll32.exe" ) AND NetConnOutCount > "0" AND SrcProcParentName Not In  ( "splwow64.exe" ) AND SrcProcParentName Not In  ( "msiexec.exe" ) AND SrcProcCmdLine RegExp ".*((?!C:\\windows\\system32\\spool\\DRIVERS\\.*,MonitorPrintJobStatus))$/gmi" )
 false_positives:
    - Printer drivers