diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml
new file mode 100644
index 000000000..bd18b7548
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml
@@ -0,0 +1,25 @@
+title: Gpscript Execution
+id: 1e59c230-6670-45bf-83b0-98903780607e
+status: experimental
+description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
+references:
+    - https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
+    - https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
+author: frack113
+date: 2022/05/02
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '\gpscript.exe'
+        CommandLine|contains: 
+            - ' /logon'
+            - ' /startup'
+    condition: selection 
+falsepositives:
+    - Legitimate uses of logon scripts distributed via group policy
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1218
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml b/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml
new file mode 100644
index 000000000..2a0444ef5
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml
@@ -0,0 +1,22 @@
+title: JSC Convert Javascript To Executable
+id: 52788a70-f1da-40dd-8fbd-73b5865d6568
+status: experimental
+description: Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Jsc/
+author: frack113
+date: 2022/05/02
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '\jsc.exe'
+        CommandLine|contains: '.js'
+    condition: selection 
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1127
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml b/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml
new file mode 100644
index 000000000..a9e8bce20
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml
@@ -0,0 +1,26 @@
+title: PrintBrm ZIP Creation of Extraction
+id: cafeeba3-01da-4ab4-b6c4-a31b1d9730c7
+status: experimental
+description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/
+author: frack113
+date: 2022/05/02
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '\PrintBrm.exe'
+        CommandLine|contains|all: 
+            - ' -f'
+            - '.zip'
+    condition: selection 
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.command_and_control
+    - attack.t1105 
+    - attack.defense_evasion
+    - attack.t1564.004