From c5e352c270c47597ef28776d8c8d235d49d80c45 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zach=20Mathis=20=28=E7=94=B0=E4=B8=AD=E3=82=B6=E3=83=83?=
 =?UTF-8?q?=E3=82=AF=29?= <71482215+YamatoSecurity@users.noreply.github.com>
Date: Thu, 1 Aug 2024 21:12:35 +0900
Subject: [PATCH] Merge PR #4944 from @YamatoSecurity - Add missing `expand`
 modifier

fix: Userdomain Variable Enumeration - Add missing `expand` modifier
---
 .../proc_creation_win_userdomain_variable_enumeration.yml   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml b/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml
index 26bbc586f2c..54f3f4c898f 100644
--- a/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml
+++ b/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml
@@ -7,6 +7,7 @@ references:
     - https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/
 author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
 date: 2023/02/09
+modified: 2024/08/01
 tags:
     - attack.discovery
     - attack.t1016
@@ -15,9 +16,8 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains|all:
-            - 'echo '
-            - '%userdomain%'
+        CommandLine|contains: 'echo '
+        CommandLine|contains|expand: '%userdomain%'
     condition: selection
 falsepositives:
     - Certain scripts or applications may leverage this.