diff --git a/rules/windows/process_creation/win_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml
index bc9d89c74..4d8a91334 100644
--- a/rules/windows/process_creation/win_cmdkey_recon.yml
+++ b/rules/windows/process_creation/win_cmdkey_recon.yml
@@ -7,6 +7,7 @@ references:
     - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
 author: jmallette
 date: 2019/01/16
+modified: 2021/07/07
 tags:
     - attack.credential_access
     - attack.t1003.005
@@ -17,12 +18,12 @@ logsource:
 detection:
     selection:
         Image|endswith: '\cmdkey.exe'
-        CommandLine|contains: ' /list '
+        CommandLine|contains: ' /list'
     condition: selection
 fields:
     - CommandLine
     - ParentCommandLine
     - User
 falsepositives:
-    - Legitimate administrative tasks.
-level: low
+    - Legitimate administrative tasks
+level: medium