diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml
index 94429dda1..343711913 100644
--- a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml
+++ b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml
@@ -8,7 +8,7 @@ references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
 author: Florian Roth (Nextron Systems)
 date: 2022/02/23
-modified: 2023/05/15
+modified: 2023/12/21
 tags:
     - attack.execution
     - attack.t1053.005
@@ -46,15 +46,14 @@ detection:
             - 'mshta http'
             - 'mshta.exe http'
     selection_anomaly_1:
-        CommandLine|contains|all:
+        CommandLine|contains:
+            - ':\Windows\Temp\'
             - '\AppData\'
             - '%AppData%'
             - '%Temp%'
             - '%tmp%'
-            - 'C:\Windows\Temp\'
     selection_anomaly_2:
-        CommandLine|contains|all:
-            - '/xml C:\Users\'
+        CommandLine|contains:
             - 'cscript'
             - 'curl'
             - 'wscript'