From eb4ef6bcfc81c14101f4a78436ae907bfe8d834b Mon Sep 17 00:00:00 2001
From: phantinuss <phantinuss@posteo.org>
Date: Wed, 27 Oct 2021 11:16:12 +0200
Subject: [PATCH] fix: single list item to value

---
 .../process_creation/win_commandline_path_obfuscation.yml      | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_commandline_path_obfuscation.yml b/rules/windows/process_creation/win_commandline_path_obfuscation.yml
index 70fa5a9d1..8fcf0948d 100644
--- a/rules/windows/process_creation/win_commandline_path_obfuscation.yml
+++ b/rules/windows/process_creation/win_commandline_path_obfuscation.yml
@@ -15,8 +15,7 @@ logsource:
     product: windows
 detection:
     selection1:
-        Image|contains:
-            - '\Windows\'
+        Image|contains: '\Windows\'
         CommandLine|contains:
             - '\..\Windows\'
             - '\..\System32\'