diff --git a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml
index f0780c4e7..3ef734d59 100644
--- a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml
+++ b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml
@@ -1,7 +1,7 @@
 title: Activity Related to NTDS.dit Domain Hash Retrieval
 status: experimental
 description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
-author: Florian Roth, Michael Haag
+author: Florian Roth, Michael Haag, Alec Costello
 references:
     - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
     - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/