diff --git a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml
index ecb11a21f..0dbd99039 100644
--- a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml
+++ b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml
@@ -18,8 +18,8 @@ logsource:
 detection:
   #useful_information: add more LOLBins to the rules logic of your choice.
   selection1:
-    - Image: '*\wbem\WMIC.exe'
-    - ProcessCommandLine: '*wmic *'
+    - Image|endswith: '\wbem\WMIC.exe'
+    - ProcessCommandLine|contains: 'wmic '
     - OriginalFileName: 'wmic.exe'
     - Description: 'WMI Commandline Utility'
   selection2: