diff --git a/persistence/service/persist-via-windows-service.yml b/persistence/service/persist-via-windows-service.yml
index 7bd333ffd..5e324ca4d 100644
--- a/persistence/service/persist-via-windows-service.yml
+++ b/persistence/service/persist-via-windows-service.yml
@@ -39,4 +39,7 @@ rule:
           - string: /New-Service /i
       - and:
         - match: set registry value
-        - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Services/i
+        - string: /System\(ControlSet\d{3}|CurrentControlSet)\Services/i
+        - or:
+          - string: /ImagePath/i
+          - string: /StartType/i