diff --git a/rules/category/antivirus/av_password_dumper.yml b/rules/category/antivirus/av_password_dumper.yml
index c8dfa2c8f..6ea4e6d5d 100644
--- a/rules/category/antivirus/av_password_dumper.yml
+++ b/rules/category/antivirus/av_password_dumper.yml
@@ -19,8 +19,7 @@ logsource:
     category: antivirus
 detection:
     selection:
-        Signature|startswith:
-            - 'PWS'
+        Signature|startswith: 'PWS'
         Signature|contains:
             - 'DumpCreds'
             - 'Mimikatz'