From af3857b42f319ca4820100a2f7f681436b791df7 Mon Sep 17 00:00:00 2001
From: securepeacock <92804416+securepeacock@users.noreply.github.com>
Date: Tue, 13 Dec 2022 10:27:21 -0500
Subject: [PATCH] Update proc_creation_win_susp_runonce_execution.yml

---
 .../proc_creation_win_susp_runonce_execution.yml               | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml
index da7c289fe..8db6cb610 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml
@@ -24,8 +24,7 @@ detection:
             - '/AlternateShellStartup'
             - '/r'
     filter:
-        CommandLine|contains:
-           - '/Run6432'
+        CommandLine|contains: '/Run6432'
     condition: all of selection* and not filter
 falsepositives:
     - Unknown