diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml
index c864f4381..85d50ff89 100644
--- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml
+++ b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml
@@ -9,8 +9,9 @@ logsource:
 detection:
     selection:
         EventID: 13 
-        TargetObject: 'HKEY_USERS\Software\Classes\exefile\shell\runas\command\isolatedCommand'
+        TargetObject: 'HKEY_USERS\*\Classes\exefile\shell\runas\command\isolatedCommand'
     condition: selection
 falsepositives:
     - unknown
 level: high
+