diff --git a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
index 539827197..c8d6bed39 100644
--- a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
+++ b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
@@ -2,7 +2,7 @@ title: Accessing WinAPI in PowerShell. Credentials Dumping
 id: 3f07b9d1-2082-4c56-9277-613a621983cc
 description: Detects Accessing to lsass.exe by Powershell
 status: experimental
-author: Natalia Shornikova
+author: oscd.community, Natalia Shornikova
 date: 2020/10/06
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
@@ -17,8 +17,8 @@ detection:
       EventID:
         - 8
         - 10
-      SourceImage: '*\powershell.exe'
-      TargetImage: '*\lsass.exe'
+      SourceImage|endswith: '\powershell.exe'
+      TargetImage|endswith: '\lsass.exe'
     condition: selection
 falsepositives: Unknown
 level: high