From dd857c44706f4da19c431bd48aefafc33f3e1517 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 25 Jul 2018 07:37:17 +0200
Subject: [PATCH] Cosmetics

If it's only 1 value we write it like this to avoid it being interpreted as a list with 1 element and to avoid an extra line.
---
 rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml b/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml
index b45d243f..5bec5a7d 100644
--- a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml
+++ b/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml
@@ -14,8 +14,7 @@ logsource:
 detection:
     selection:
         EventID: 11
-        TargetFilename:
-             '*\Temp\debug.bin'
+        TargetFilename: '*\Temp\debug.bin'
     condition: selection
 falsepositives:
     - Unknown