From 09d6d3e4075908fb64b6dbfd2140bbbb93ad1779 Mon Sep 17 00:00:00 2001
From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com>
Date: Sat, 19 Nov 2022 15:06:10 +1100
Subject: [PATCH] Update
 rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
---
 .../proc_creation_win_iis_service_account_password_dumped.yml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml
index e4ec75500..9b49fdc66 100644
--- a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml
+++ b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml
@@ -32,7 +32,7 @@ detection:
             - ' /text '
             - ' /config '
             - ' /@c'
-    condition: 1 of selection_cmd* and selection_list
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: high