diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml
index 0e6ca3972..a08ba728c 100644
--- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml
@@ -88,7 +88,6 @@ detection:
         - NotAllNameSpaces
         - exfill
         - FakeDC
-        - Exploit
     condition: keywords
 falsepositives:
     - Penetration testing
diff --git a/rules/windows/process_creation/win_apt_ta505_dropper.yml b/rules/windows/process_creation/win_apt_ta505_dropper.yml
new file mode 100644
index 000000000..d90e41594
--- /dev/null
+++ b/rules/windows/process_creation/win_apt_ta505_dropper.yml
@@ -0,0 +1,22 @@
+title: TA505 Dropper Load Pattern
+id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
+status: experimental
+description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents
+references:
+    - https://twitter.com/ForensicITGuy/status/1334734244120309760
+tags:
+    - attack.execution
+    - attack.g0092
+logsource:
+    category: process_creation
+    product: windows
+author: Florian Roth
+date: 2020/12/08
+detection:
+    selection:
+        Image|endswith: '\mshta.exe'
+        ParentImage|endswith: '\wmiprvse.exe'
+    condition: selection
+falsepositives:
+    - unknown
+level: critical