diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
index 0ecd0dfe1..2c6ae5ca2 100755
--- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
+++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
@@ -2,7 +2,7 @@ title: Registry Persistence via Explorer Run Key
 id: b7916c2a-fa2f-4795-9477-32b731f70f11
 status: experimental
 description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
-author: Florian Roth
+author: Florian Roth, oscd.community
 date: 2018/07/18
 modified: 2020/09/06
 references:
@@ -13,15 +13,17 @@ logsource:
 detection:
     selection:
         TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
-        Details|startswith: 
+    selection2:
+        - Details|startswith: 
             - 'C:\Windows\Temp\'
             - 'C:\ProgramData\'
-            - '*\AppData\'
             - 'C:\$Recycle.bin\'
             - 'C:\Temp\'
             - 'C:\Users\Public\'
             - 'C:\Users\Default\'
-    condition: selection
+        - Details|contains: 
+            - '\AppData\'
+    condition: selection and selection2
 tags:
     - attack.persistence
     - attack.t1060 # an old one