diff --git a/detection/privesc/unexpected-privilege-escalation-events.sql b/detection/privesc/unexpected-privilege-escalation-events.sql
index c7cf69a..9b00ef0 100644
--- a/detection/privesc/unexpected-privilege-escalation-events.sql
+++ b/detection/privesc/unexpected-privilege-escalation-events.sql
@@ -30,8 +30,8 @@ FROM
   JOIN processes pp ON p.parent = pp.pid
   LEFT JOIN file ON p.path = file.path
   LEFT JOIN hash ON p.path = hash.path
-  LEFT JOIN file AS pfile ON pp.path = file.path
-  LEFT JOIN hash AS phash ON pp.path = hash.path
+  LEFT JOIN file AS pfile ON pp.path = pfile.path
+  LEFT JOIN hash AS phash ON pp.path = phash.path
 WHERE
   p.time > (strftime('%s', 'now') -30)
   AND p.euid < pp.euid
diff --git a/detection/privesc/unexpected-privilege-escalation.sql b/detection/privesc/unexpected-privilege-escalation.sql
index 2d4ea21..8d14db1 100644
--- a/detection/privesc/unexpected-privilege-escalation.sql
+++ b/detection/privesc/unexpected-privilege-escalation.sql
@@ -30,8 +30,8 @@ FROM
   JOIN processes pp ON p.parent = pp.pid
   LEFT JOIN file ON p.path = file.path
   LEFT JOIN hash ON p.path = hash.path
-  LEFT JOIN file AS pfile ON pp.path = file.path
-  LEFT JOIN hash AS phash ON pp.path = hash.path
+  LEFT JOIN file AS pfile ON pp.path = pfile.path
+  LEFT JOIN hash AS phash ON pp.path = phash.path
 WHERE
   p.euid < pp.euid
   AND p.path NOT IN (