diff --git a/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml
index 459fc153..ecf8aba9 100644
--- a/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml
+++ b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml
@@ -11,7 +11,7 @@ tags:
     - attack.t1053
 author: Sreeman
 date: 2020/09/29
-modified: 2021/09/09
+modified: 2021/09/24
 fields:
     - EventID
     - CommandLine
@@ -23,7 +23,20 @@ logsource:
 detection:
     selection:
         TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
-        Details|re: '.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.ps|.vb|.jar|.hta|.msi|.vbs)$'
+        Details|endswith: 
+            - .sh
+            - .exe
+            - .dll
+            - .bin
+            - .bat
+            - .cmd
+            - .js
+            - .ps
+            - .vb
+            - .jar
+            - .hta
+            - .msi
+            - .vbs
     condition: selection
 falsepositives:
     - none