From efb67a3c676dac7b36aff16e4f66b5db80cd2dfe Mon Sep 17 00:00:00 2001
From: Qasim Qlf <qlfqasim@gmail.com>
Date: Thu, 21 Dec 2023 20:38:11 +0500
Subject: [PATCH] Merge PR #4635 from @qasimqlf - Fix error in modifier usage

fix: Suspicious Command Patterns In Scheduled Task Creation - Fix error in modifier usage

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 .../proc_creation_win_schtasks_susp_pattern.yml          | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml
index 94429dda1..343711913 100644
--- a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml
+++ b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml
@@ -8,7 +8,7 @@ references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
 author: Florian Roth (Nextron Systems)
 date: 2022/02/23
-modified: 2023/05/15
+modified: 2023/12/21
 tags:
     - attack.execution
     - attack.t1053.005
@@ -46,15 +46,14 @@ detection:
             - 'mshta http'
             - 'mshta.exe http'
     selection_anomaly_1:
-        CommandLine|contains|all:
+        CommandLine|contains:
+            - ':\Windows\Temp\'
             - '\AppData\'
             - '%AppData%'
             - '%Temp%'
             - '%tmp%'
-            - 'C:\Windows\Temp\'
     selection_anomaly_2:
-        CommandLine|contains|all:
-            - '/xml C:\Users\'
+        CommandLine|contains:
             - 'cscript'
             - 'curl'
             - 'wscript'