diff --git a/rules/network/net_wannacry_killswitch_domain.yml b/rules/network/net_wannacry_killswitch_domain.yml
index 52eb64c33..9ca3530c5 100644
--- a/rules/network/net_wannacry_killswitch_domain.yml
+++ b/rules/network/net_wannacry_killswitch_domain.yml
@@ -6,7 +6,7 @@ author: Mike Wade
 references:
   - https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html
 date: 2020/09/16
-modified: 2021/11/27
+modified: 2022/03/24
 logsource:
   category: dns
 detection:
@@ -17,7 +17,6 @@ detection:
       - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
       - 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com'
       - 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
-      - ''
   condition: selection
 falsepositives:
   - Analyst testing
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml
index 0c9779e7f..bcce4ec7f 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml
@@ -21,6 +21,8 @@ detection:
          - 'I`EX'
          - 'IE`X'
          - 'I`E`X'
+         - ' | IEX'
+         - '|IEX '
          - 'Invoke-Execution'
          - ';iex $'
    condition: selection and execution
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml
new file mode 100644
index 000000000..47fce53b0
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml
@@ -0,0 +1,39 @@
+title: Suspicious PowerShell IEX Execution Patterns
+id: 09576804-7a05-458e-a817-eb718ca91f54
+status: experimental
+description: Detects suspicious ways to run Invoke-Execution using IEX acronym
+author: Florian Roth
+date: 2022/03/24
+references:
+   - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
+logsource:
+   product: windows
+   category: process_creation
+detection:
+   selection_combined_1:
+      Image|endswith: '\powershell.exe'
+      CommandLine|contains:
+         -' | iex;'
+         -' | iex '
+         -' | iex}'
+         -' | IEX;'
+         -' | IEX ;'
+         -' | IEX -Error'
+         -' | IEX (new'
+         -' | IEX (New'
+         -');IEX '
+   selection_combined_2:
+      CommandLine|contains:
+         - '::FromBase64String'
+         - '.GetString([System.Convert]::'
+   selection_standalone:
+      CommandLine|contains:
+         -')|iex;$'
+         -')|IEX;$'
+         -');iex($'
+         -');iex $'
+         -' | IEX | '
+   condition: all of selection_combined* or selection_standalone
+falsepositives:
+   - Legitimate scripts that use IEX
+level: high