From f58358b037caaccccf8a279dc566e8694bc259de Mon Sep 17 00:00:00 2001
From: Arnim Rupp <46819580+ruppde@users.noreply.github.com>
Date: Fri, 13 Jan 2023 17:36:38 +0100
Subject: [PATCH] Fix  rule using list with only 1 element

---
 rules/category/antivirus/av_password_dumper.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rules/category/antivirus/av_password_dumper.yml b/rules/category/antivirus/av_password_dumper.yml
index c8dfa2c8f..6ea4e6d5d 100644
--- a/rules/category/antivirus/av_password_dumper.yml
+++ b/rules/category/antivirus/av_password_dumper.yml
@@ -19,8 +19,7 @@ logsource:
     category: antivirus
 detection:
     selection:
-        Signature|startswith:
-            - 'PWS'
+        Signature|startswith: 'PWS'
         Signature|contains:
             - 'DumpCreds'
             - 'Mimikatz'