Merge PR #4944 from @YamatoSecurity - Add missing expand modifier

fix: Userdomain Variable Enumeration - Add missing `expand` modifier
SigmaHQ · Aug 1, 2024 · c5e352c · c5e352c
1 parent 3359340
commit c5e352c
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/...laceholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml b/...laceholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml
@@ -7,6 +7,7 @@ references:
     - https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/
 author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
 date: 2023/02/09
+modified: 2024/08/01
 tags:
     - attack.discovery
     - attack.t1016
@@ -15,9 +16,8 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains|all:
-            - 'echo '
-            - '%userdomain%'
+        CommandLine|contains: 'echo '
+        CommandLine|contains|expand: '%userdomain%'
     condition: selection
 falsepositives:
     - Certain scripts or applications may leverage this.