diff --git a/rules/windows/process_creation/proc_creation_win_credential_acquisition_registry_hive_dumping.yml b/rules/windows/process_creation/proc_creation_win_credential_acquisition_registry_hive_dumping.yml
index 21512aa79..a76c75e6a 100644
--- a/rules/windows/process_creation/proc_creation_win_credential_acquisition_registry_hive_dumping.yml
+++ b/rules/windows/process_creation/proc_creation_win_credential_acquisition_registry_hive_dumping.yml
@@ -22,5 +22,7 @@ detection:
         CommandLine|contains:
             - 'hklm\sam'
             - 'hklm\security'
+            - 'HKEY_LOCAL_MACHINE\SAM'
+            - 'HKEY_LOCAL_MACHINE\SECURITY'
     condition: all of selection_*
 level: high