diff --git a/rules/windows/malware/mal_azorult_reg.yml b/rules/windows/malware/mal_azorult_reg.yml
index db5a39521..0fc7cad61 100644
--- a/rules/windows/malware/mal_azorult_reg.yml
+++ b/rules/windows/malware/mal_azorult_reg.yml
@@ -17,7 +17,7 @@ detection:
     EventID:
       - 12
       - 13
-    TargetObject|startswith:
+    TargetObject|endswith:
       - 'SYSTEM\\*\services\localNETService'
   condition: selection
 fields: