diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/win_user_driver_loaded.yml
index 5abc45e1f..d829a0781 100644
--- a/rules/windows/builtin/win_user_driver_loaded.yml
+++ b/rules/windows/builtin/win_user_driver_loaded.yml
@@ -21,18 +21,18 @@ detection:
         Service: '-'
     selection_2:
         ProcessName|contains:
-            - '*\Windows\System32\Dism.exe'
-            - '*\Windows\System32\rundll32.exe'
-            - '*\Windows\System32\fltMC.exe'
-            - '*\Windows\HelpPane.exe'
-            - '*\Windows\System32\mmc.exe'
-            - '*\Windows\System32\svchost.exe'
-            - '*\Windows\System32\wimserv.exe'
-            - '*\procexp64.exe'
-            - '*\procexp.exe'
-            - '*\procmon64.exe'
-            - '*\procmon.exe'
-            - '*\Google\Chrome\Application\chrome.exe'
+            - '\Windows\System32\Dism.exe'
+            - '\Windows\System32\rundll32.exe'
+            - '\Windows\System32\fltMC.exe'
+            - '\Windows\HelpPane.exe'
+            - '\Windows\System32\mmc.exe'
+            - '\Windows\System32\svchost.exe'
+            - '\Windows\System32\wimserv.exe'
+            - '\procexp64.exe'
+            - '\procexp.exe'
+            - '\procmon64.exe'
+            - '\procmon.exe'
+            - '\Google\Chrome\Application\chrome.exe'
     condition: selection_1 and not selection_2
 falsepositives:
     - 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.'