diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 45068180..8804069b 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -98398,7 +98398,7 @@ discovery:
       supported_platforms:
       - windows
       executor:
-        command: 'nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.$env:USERDNSDOMAIN
+        command: 'nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%
 
           '
         name: command_prompt
diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
index 9d004675..727fb84a 100644
--- a/atomics/Indexes/windows-index.yaml
+++ b/atomics/Indexes/windows-index.yaml
@@ -85106,7 +85106,7 @@ discovery:
       supported_platforms:
       - windows
       executor:
-        command: 'nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.$env:USERDNSDOMAIN
+        command: 'nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%
 
           '
         name: command_prompt
diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md
index 2277aab9..83d9b5ca 100644
--- a/atomics/T1016/T1016.md
+++ b/atomics/T1016/T1016.md
@@ -395,7 +395,7 @@ controller of the targeted or compromised host. reference https://securelist.com
 
 
 ```cmd
-nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.$env:USERDNSDOMAIN
+nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%
 ```