diff --git a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml
index 7a4e2b514..e476b03c3 100644
--- a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml
+++ b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml
@@ -32,8 +32,8 @@ detection:
             - 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\\*\Microsoft.SharePoint.exe'
             - 'C:\Program Files (x86)\'
             - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
-            - 'C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
-            - 'C:\Users\*\AppData\Roaming\Spotify\Spotify.exe'
+            - 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
+            - 'C:\Users\\*\AppData\Roaming\Spotify\Spotify.exe'
         - Image|endswith: '\opera_autoupdate.exe'      
     condition: selection and not filter
 falsepositives: