From 02e826def342cfe185442fddaebe02526f45db71 Mon Sep 17 00:00:00 2001
From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com>
Date: Fri, 9 Oct 2020 16:29:20 +0300
Subject: [PATCH] Update powershell_invoke_obfuscation_via_use_mhsta.yml

---
 .../powershell_invoke_obfuscation_via_use_mhsta.yml           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml
index 47f297f60..eb5f0e924 100644
--- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml
@@ -18,11 +18,11 @@ detection:
     selection_1:
         EventID: 4104
     selection_2:
-        - ScriptBlockText|re: '(?i).*downloadstring&&.*mshta.*powershell.*\(window.close\).*"'
+        - ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
     selection_3:
         EventID: 4103
     selection_4:
-        - Payload|re: '(?i).*downloadstring&&.*mshta.*powershell.*\(window.close\).*"'
+        - Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
     condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 )
 falsepositives:
     - Unknown