diff --git a/rules/windows/process_creation/win_commandline_path_obfuscation.yml b/rules/windows/process_creation/win_commandline_path_obfuscation.yml
index 70fa5a9d1..8fcf0948d 100644
--- a/rules/windows/process_creation/win_commandline_path_obfuscation.yml
+++ b/rules/windows/process_creation/win_commandline_path_obfuscation.yml
@@ -15,8 +15,7 @@ logsource:
     product: windows
 detection:
     selection1:
-        Image|contains:
-            - '\Windows\'
+        Image|contains: '\Windows\'
         CommandLine|contains:
             - '\..\Windows\'
             - '\..\System32\'