diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml
index 47f297f60..eb5f0e924 100644
--- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml
@@ -18,11 +18,11 @@ detection:
     selection_1:
         EventID: 4104
     selection_2:
-        - ScriptBlockText|re: '(?i).*downloadstring&&.*mshta.*powershell.*\(window.close\).*"'
+        - ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
     selection_3:
         EventID: 4103
     selection_4:
-        - Payload|re: '(?i).*downloadstring&&.*mshta.*powershell.*\(window.close\).*"'
+        - Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
     condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 )
 falsepositives:
     - Unknown