fix: FPs with mshta execution

rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml

@@ -10,7 +10,7 @@ references:
     - https://twitter.com/mattifestation/status/1326228491302563846
 author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)
 date: 2019/02/22
-modified: 2021/12/01
+modified: 2022/11/07
 tags:
     - attack.defense_evasion
     - attack.t1140
@@ -22,7 +22,7 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection1:
+    selection:
         Image|endswith: '\mshta.exe'
         CommandLine|contains:
             - 'vbscript'
@@ -34,8 +34,8 @@ detection:
             - '.doc'
             - '.zip'
             - '.dll'
-            - '.exe'
-    condition: selection1
+            # - '.exe'
+    condition: selection
 falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment
 level: high

rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml

@@ -8,7 +8,7 @@ references:
     - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
 author: Florian Roth
 date: 2021/07/17
-modified: 2022/07/14
+modified: 2022/11/07
 tags:
     - attack.execution
     - attack.t1106
@@ -33,7 +33,7 @@ detection:
             - 'C:\Users\Public'
     # Suspicious Execution Locations
     filter3:
-        Image|contains:
+        Image|startswith:
             - 'C:\Windows\System32'
             - 'C:\Windows\SysWOW64'
     # Suspicious extensions
@@ -44,7 +44,7 @@ detection:
         CommandLine|endswith:
             - 'mshta.exe'
             - 'mshta'
-    condition: selection_base and ( selection1 or selection2 ) or ( selection_base and not filter3 ) or ( selection_base and not filter4 )
+    condition: ( selection_base and ( selection1 or selection2 ) ) or ( selection_base and not 1 of filter* )
 falsepositives:
     - Unknown
 level: high