From eef0995310f44d056b3fa32c8c1377d14cea5866 Mon Sep 17 00:00:00 2001
From: nasbench <8741929+nasbench@users.noreply.github.com>
Date: Tue, 2 Jan 2024 11:13:11 +0100
Subject: [PATCH] Update proc_creation_win_dotnet_trace_lolbin_execution.yml

---
 ...proc_creation_win_dotnet_trace_lolbin_execution.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml b/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml
index ce64b7f90ba..1c251862b4f 100644
--- a/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml
+++ b/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml
@@ -1,11 +1,11 @@
-title: Lolbin Execution Via Dotnet-Trace.exe
+title: Lolbin Execution Via Dotnet-Trace.EXE
 id: 9257c05b-4a4a-48e5-a670-b7b073cf401b
 status: experimental
-description: Detects cmdline arguments for executing a child process with dotnet-trace.exe
+description: Detects commandline arguments for executing a child process via dotnet-trace.exe
 references:
     - https://twitter.com/bohops/status/1740022869198037480
 author: Jimmy Bayne (@bohops)
-date: 2023/12/27
+date: 2024/01/02
 tags:
     - attack.execution
     - attack.defense_evasion
@@ -19,9 +19,9 @@ detection:
         - OriginalFileName: 'dotnet-trace.dll'
     selection_cli:
         CommandLine|contains|all:
-            - '--'
+            - '-- '
             - 'collect'
     condition: all of selection_*
 falsepositives:
-    - Unknown
+    - Legitimate usage of the utility in order to debug and trace a program.
 level: medium