From 013533fceb7d66dd35efc08bbe304e8e675efe0f Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 17:13:16 -0300
Subject: [PATCH] Update powershell_prompt_credentials.yml

---
 rules/windows/powershell/powershell_prompt_credentials.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml
index f5601ce9..4513b1dd 100644
--- a/rules/windows/powershell/powershell_prompt_credentials.yml
+++ b/rules/windows/powershell/powershell_prompt_credentials.yml
@@ -20,8 +20,8 @@ detection:
     selection:
         EventID: 4104
     keyword:
-        Message:
-            - '*PromptForCredential*'
+        Message|contains:
+            - 'PromptForCredential'
     condition: all of them
 falsepositives:
     - Unknown