added expand modifier to placeholder rule

YamatoSecurity · Aug 1, 2024 · b9bf675 · b9bf675
1 parent b8e67f1
commit b9bf675
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/...laceholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml b/...laceholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml
@@ -15,9 +15,8 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains|all:
-            - 'echo '
-            - '%userdomain%'
+        CommandLine|contains: 'echo '
+        CommandLine|contains|expand: '%userdomain%'
     condition: selection
 falsepositives:
     - Certain scripts or applications may leverage this.