From fcd41ed3e36343845e98e900d4ecaa49035653e3 Mon Sep 17 00:00:00 2001
From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com>
Date: Sat, 19 Nov 2022 15:06:36 +1100
Subject: [PATCH] Update
 rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
---
 .../proc_creation_win_iis_service_account_password_dumped.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml
index 9b49fdc66..d0bf05e0d 100644
--- a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml
+++ b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml
@@ -19,9 +19,7 @@ detection:
         - Image|endswith: '\appcmd.exe'
         - OriginalFilename: 'appcmd.exe'
     selection_list:
-        CommandLine|contains:
-            - ' /list '
-            - ' list '
+        CommandLine|contains: 'list '
     selection_cmd1:
         CommandLine|contains|all:
             - ' /text'