diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml
index 5a1152c12..fe114d875 100644
--- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml
+++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml
@@ -10,14 +10,14 @@ logsource:
     product: windows
 detection:
     keywords:
-        - mimikatz
-        - mimilib
-        - <3 eo.oe
-        - eo.oe.kiwi
-        - privilege::debug
-        - sekurlsa::logonpasswords
-        - lsadump::sam
-        - mimidrv.sys
+        - "* mimikatz *"
+        - "* mimilib *"
+        - "* <3 eo.oe *"
+        - "* eo.oe.kiwi *"
+        - "* privilege::debug *"
+        - "* sekurlsa::logonpasswords *"
+        - "* lsadump::sam *"
+        - "* mimidrv.sys *"
     condition: keywords
 falsepositives:
     - Naughty administrators