From 5b09dff1fbd162dbc92c6e3d5a39014e8ad8d4ae Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Mon, 16 Aug 2021 09:21:04 +0200
Subject: [PATCH] cleanup win_malware_conti_shadowcopy.yml

---
 .../windows/process_creation/win_malware_conti_shadowcopy.yml  | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml
index babdb8d3d..105e17ae9 100644
--- a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml
+++ b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml
@@ -11,8 +11,7 @@ logsource:
     product: windows
 detection:
     selection_1:
-        CommandLine|contains:
-            - '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
+        CommandLine|contains: '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
     selection_2:
         CommandLine|contains:
             - '\\NTDS.dit'