diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
index 95695f2c4..2721f13b5 100644
--- a/rules/macros/macros.yml
+++ b/rules/macros/macros.yml
@@ -50,7 +50,7 @@
   expr: kevt.name = 'RegCreateKey' and registry.status = 'Success'
 
 - macro: modify_registry
-  expr: (set_value or create_key)
+  expr: ((set_value) or (create_key))
 
 - macro: send_socket
   expr: kevt.name = 'Send'
diff --git a/rules/persistence_hidden_local_account_creation.yml b/rules/persistence_hidden_local_account_creation.yml
index 8afb80b87..67bdd53d5 100644
--- a/rules/persistence_hidden_local_account_creation.yml
+++ b/rules/persistence_hidden_local_account_creation.yml
@@ -17,10 +17,10 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1136/001/
 
 condition: >
-  set_value and registry.path imatches 
+  modify_registry and registry.path imatches 
     (
-      'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\',
-      'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*$\\'
+      'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$',
+      'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*$'
     )
 
 severity: high