diff --git a/rules/windows/builtin/security/win_susp_rc4_kerberos.yml b/rules/windows/builtin/security/win_susp_rc4_kerberos.yml
index 3f7576a13..76abc6f50 100644
--- a/rules/windows/builtin/security/win_susp_rc4_kerberos.yml
+++ b/rules/windows/builtin/security/win_susp_rc4_kerberos.yml
@@ -10,7 +10,7 @@ tags:
 description: Detects service ticket requests using RC4 encryption type
 author: Florian Roth
 date: 2017/02/06
-modified: 2021/08/14
+modified: 2022/06/19
 logsource:
     product: windows
     service: security
@@ -20,7 +20,7 @@ detection:
         TicketOptions: '0x40810000'
         TicketEncryptionType: '0x17'
     reduction:
-        ServiceName|startswith: '$'
+        ServiceName|endswith: '$'
     condition: selection and not reduction
 falsepositives:
     - Service accounts used on legacy systems (e.g. NetApp)