diff --git a/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml b/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml
index acdaf8225..84f6a488e 100644
--- a/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml
+++ b/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml
@@ -5,20 +5,23 @@ description: Trickbot enumerates domain/network topology and executes certain co
 references:
     - https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
 author: David Burkett
+date: 12/28/2019
+tags:
+    - attack.t1482
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection1:
+    selection:
         Image:
             - '*\nltest.exe'
-    selection2:
         CommandLine:
             - '/domain_trusts /all_trusts'
             - '/domain_trusts'
-    condition: selection1 and (1 of CommandLine)
+    condition: selection
 fields:
     - CommandLine
+    - ParentCommandLine
 falsepositives:
     - System Admin Activity
 level: critical
\ No newline at end of file