Merge PR #4635 from @qasimqlf - Fix error in modifier usage

fix: Suspicious Command Patterns In Scheduled Task Creation - Fix error in modifier usage

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>

rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml

@@ -8,7 +8,7 @@ references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
 author: Florian Roth (Nextron Systems)
 date: 2022/02/23
-modified: 2023/05/15
+modified: 2023/12/21
 tags:
     - attack.execution
     - attack.t1053.005
@@ -46,15 +46,14 @@ detection:
             - 'mshta http'
             - 'mshta.exe http'
     selection_anomaly_1:
-        CommandLine|contains|all:
+        CommandLine|contains:
+            - ':\Windows\Temp\'
             - '\AppData\'
             - '%AppData%'
             - '%Temp%'
             - '%tmp%'
-            - 'C:\Windows\Temp\'
     selection_anomaly_2:
-        CommandLine|contains|all:
-            - '/xml C:\Users\'
+        CommandLine|contains:
             - 'cscript'
             - 'curl'
             - 'wscript'