diff --git a/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml b/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml
new file mode 100644
index 000000000..6e9c71ef5
--- /dev/null
+++ b/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml
@@ -0,0 +1,37 @@
+title: Sticky Key Like Backdoor Usage
+id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
+related:
+    - id: baca5663-583c-45f9-b5dc-ea96a22ce542
+      type: derived
+description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login
+    screen
+references:
+    - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
+tags:
+    - attack.privilege_escalation
+    - attack.persistence
+    - attack.t1015 # an old one
+    - attack.t1546.008
+    - car.2014-11-003
+    - car.2014-11-008
+author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community
+date: 2018/03/15
+modified: 2021/09/12
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_process:
+        ParentImage|endswith: '\winlogon.exe'
+        Image|endswith: '\cmd.exe'
+        CommandLine|contains:
+            - 'sethc.exe'
+            - 'utilman.exe'
+            - 'osk.exe'
+            - 'Magnify.exe'
+            - 'Narrator.exe'
+            - 'DisplaySwitch.exe'
+    condition: selection_process
+falsepositives:
+    - Unlikely
+level: critical
\ No newline at end of file
diff --git a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml
similarity index 73%
rename from rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
rename to rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml
index eeaeb2cf6..2ec90b7c1 100755
--- a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
+++ b/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml
@@ -1,5 +1,5 @@
-action: global
 title: Sticky Key Like Backdoor Usage
+id: baca5663-583c-45f9-b5dc-ea96a22ce542
 description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login
     screen
 references:
@@ -13,12 +13,7 @@ tags:
     - car.2014-11-008
 author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community
 date: 2018/03/15
-modified: 2020/11/28
-falsepositives:
-    - Unlikely
-level: critical
----
-id: baca5663-583c-45f9-b5dc-ea96a22ce542
+modified: 2021/09/12
 logsource:
     category: registry_event
     product: windows
@@ -31,21 +26,7 @@ detection:
             - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
             - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
             - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
-    condition: 1 of them
----
-id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_process:
-        ParentImage|endswith: '\winlogon.exe'
-        Image|endswith: '\cmd.exe'
-        CommandLine|contains:
-            - 'sethc.exe'
-            - 'utilman.exe'
-            - 'osk.exe'
-            - 'Magnify.exe'
-            - 'Narrator.exe'
-            - 'DisplaySwitch.exe'
-    condition: 1 of them
+    condition: selection_registry
+falsepositives:
+    - Unlikely
+level: critical
\ No newline at end of file