diff --git a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml
index babdb8d3d..105e17ae9 100644
--- a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml
+++ b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml
@@ -11,8 +11,7 @@ logsource:
     product: windows
 detection:
     selection_1:
-        CommandLine|contains:
-            - '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
+        CommandLine|contains: '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
     selection_2:
         CommandLine|contains:
             - '\\NTDS.dit'