From c9e81f1cf00a68de6dbc6a17d57e2faa7a28d7ce Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Mon, 22 Aug 2022 20:17:22 +0100
Subject: [PATCH] Update proc_creation_win_lolbin_sideload_link_binary.yml

---
 .../proc_creation_win_lolbin_sideload_link_binary.yml          | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml b/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml
index 0f8bf6f11..fa924f846 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml
@@ -15,8 +15,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '\link.exe'
-        CommandLine|contains:
-            - 'LINK /' # Hardcoded command line when we call tools like dumpbin.exe, editbin.exe, lib.exe...etc
+        CommandLine|contains: 'LINK /' # Hardcoded command line when we call tools like dumpbin.exe, editbin.exe, lib.exe...etc
     # Add other filters for other legitimate locations
     filter_visual_studio:
         ParentImage|startswith: