diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_ntfs_ads_access.yml
index 422ed4ead..e2c531b76 100644
--- a/rules/windows/powershell/powershell_ntfs_ads_access.yml
+++ b/rules/windows/powershell/powershell_ntfs_ads_access.yml
@@ -16,6 +16,7 @@ logsource:
 detection:
     keyword1:
         - "set-content"
+        - "add-content"
     keyword2:
         - "-stream"
     condition: keyword1 and keyword2