diff --git a/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml
index 9349ff725..c87d2af65 100644
--- a/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml
+++ b/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml
@@ -16,7 +16,7 @@ detection:
     selection:
         EventID: 7
         Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
-        ImageLoaded: 'wbemcons.dll'
+        ImageLoaded|endswith: '\wbemcons.dll'
     condition: selection
 falsepositives: 
     - Unknown (data set is too small; further testing needed)