diff --git a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
index f566bc863..737f18139 100755
--- a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
+++ b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
@@ -32,9 +32,9 @@ logsource:
     product: windows
 detection:
     methprocess:
-        ParentImage: '*\eventvwr.exe'
+        ParentImage|endswith: '\eventvwr.exe'
     filterprocess:
-        Image: '*\mmc.exe'
+        Image|endswith: '\mmc.exe'
     condition: methprocess and not filterprocess
 fields:
     - CommandLine