diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml
new file mode 100644
index 000000000..cc799c691
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_office_shell.yml
@@ -0,0 +1,28 @@
+title: Microsoft Office Product Spawning Windows  Shell
+status: experimental
+description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.
+reference: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
+author: Michael Haag
+logsource:
+    product: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage:
+            - '*\WINWORD.EXE'
+            - '*\EXCEL.EXE'
+            - '*\POWERPNT.exe'
+            - '*\MSPUB.exe'
+            - '*\VISIO.exe'
+        Image:
+            - '*\cmd.exe'
+            - '*\powershell.exe'
+            - '*\wscript.exe'
+            - '*\cscript.exe'
+            - '*\sh.exe'
+            - '*\bash.exe'
+            - '*\scrcons.exe'
+    condition: selection
+falsepositives:
+    - unknown
+level: high
diff --git a/rules/windows/sysmon/sysmon_webshell_detection.yml b/rules/windows/sysmon/sysmon_webshell_detection.yml
index c183fe500..c5ca987f6 100644
--- a/rules/windows/sysmon/sysmon_webshell_detection.yml
+++ b/rules/windows/sysmon/sysmon_webshell_detection.yml
@@ -1,4 +1,4 @@
-title: Webshell Detection With Command Line Keywords 
+title: Webshell Detection With Command Line Keywords
 description: Detects certain command line parameters often used during reconnissaince activity via web shells
 author: Florian Roth
 logsource:
@@ -9,12 +9,16 @@ detection:
         ParentImage:
           - '*\apache*'
           - '*\tomcat*'
-        CommandLine: 
+          - '*\w3wp.exe'
+          - '*\php-cgi.exe'
+          - '*\nginx.exe'
+          - '*\httpd.exe'
+        CommandLine:
           - 'whoami'
           - 'net user'
           - 'ping -n'
+          - 'systeminfo'
     condition: selection
 falsepositives:
     - unknown
 level: high
-
diff --git a/rules/windows/sysmon/sysmon_webshell_spawn.yml b/rules/windows/sysmon/sysmon_webshell_spawn.yml
index fd092c485..51359a62b 100644
--- a/rules/windows/sysmon/sysmon_webshell_spawn.yml
+++ b/rules/windows/sysmon/sysmon_webshell_spawn.yml
@@ -11,10 +11,12 @@ detection:
             - '*\w3wp.exe'
             - '*\httpd.exe'
             - '*\nginx.exe'
+            - '*\php-cgi.exe'
         Image:
             - '*\cmd.exe'
             - '*\sh.exe'
             - '*\bash.exe'
+            - '*\powershell.exe'
     condition: selection
 falsepositives:
     - Particular web applications may spawn a shell process legitimately