diff --git a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml
index af430e49a..1bbe17aec 100755
--- a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml
+++ b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml
@@ -10,7 +10,7 @@ tags:
     - attack.t1060 # an old one
     - attack.t1547.001
 date: 2018/08/25
-modified: 2020/09/06
+modified: 2021/10/30
 logsource:
     category: registry_event
     product: windows
@@ -27,6 +27,7 @@ detection:
             - 'C:\Users\Public\'
             - 'C:\Users\Default\'
             - 'C:\Users\Desktop\'
+            - '\AppData\Local\Temp\'
         - Details|startswith:
             - '%Public%\'
             - 'wscript'