diff --git a/rules/windows/process_access/sysmon_invoke_phantom.yml b/rules/windows/process_access/sysmon_invoke_phantom.yml
index 7230b685..f779354d 100755
--- a/rules/windows/process_access/sysmon_invoke_phantom.yml
+++ b/rules/windows/process_access/sysmon_invoke_phantom.yml
@@ -19,8 +19,8 @@ detection:
     selection:
         TargetImage|endswith: '\windows\system32\svchost.exe'
         GrantedAccess: '0x1f3fff'
-        CallTrace:
-         - '*unknown*'
+        CallTrace|contains:
+         - 'unknown'
     condition: selection
 falsepositives:
     - unknown