diff --git a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml
index c49df6bc1..a0ae78a12 100644
--- a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml
+++ b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml
@@ -19,7 +19,7 @@ logsource:
     product: windows
 detection:
     selection_1:
-        Image: '*\reg.exe'
+        Image|endswith: '\reg.exe'
         CommandLine|contains:
             - 'save'
             - 'export'