use same trick as Invoke-Obfuscation Obfuscated IEX Invocation

rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml

@@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
+modified: 2021/05/27
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
 tags:
@@ -18,22 +19,25 @@ level: high
 detection:
     selection:
         - ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
-    condition: selection
+    condition: selection and selection_eventid
 ---
 logsource:
     product: windows
     service: system
 detection:
-    selection:
+    selection_eventid:
         EventID: 7045
 ---
 logsource:
     product: windows
     category: driver_load
+detection:
+    selection_eventid:
+        EventID: 6
 ---
- logsource:
-     product: windows
-     service: security
- detection:
-     selection:
-         EventID: 4697
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_eventid:
+        EventID: 4697