diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_pubprn.yml b/rules/windows/process_creation/proc_creation_win_lolbas_pubprn.yml
new file mode 100644
index 000000000..6bbed8523
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_lolbas_pubprn.yml
@@ -0,0 +1,23 @@
+title: Pubprn.vbs Proxy Execution
+id: 1fb76ab8-fa60-4b01-bddd-71e89bf555da
+description: Detects the use of a Micorsoft signed script to execute commands.
+status: experimental
+references:
+    - https://lolbas-project.github.io/lolbas/Scripts/Pubprn/
+author: frack113
+date: 2022/05/21
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - '\pubprn.vbs'
+            - 'script:'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1216.001 
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml b/rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml
new file mode 100644
index 000000000..2f2f8a780
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml
@@ -0,0 +1,23 @@
+title: UtilityFunctions.ps1 Proxy Dll
+id: 0403d67d-6227-4ea8-8145-4e72db7da120
+description: Detects the use of a Micorsoft signed script execute Managed DLL with PowerShell .
+status: experimental
+references:
+    - https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/
+author: frack113
+date: 2022/05/21
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains:
+            - 'UtilityFunctions.ps1'
+            - 'RegSnapin  '
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1216
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_lolbas_onedrivestandaloneupdater.yml b/rules/windows/registry/registry_set/registry_set_lolbas_onedrivestandaloneupdater.yml
new file mode 100644
index 000000000..82ac7ba66
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_lolbas_onedrivestandaloneupdater.yml
@@ -0,0 +1,24 @@
+title: Lolbas OneDriveStandaloneUpdater.exe Set Download
+id: 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d
+description: |
+  Detect set url for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments
+  Executable was store in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
+status: experimental
+date: 2022/05/28
+references:
+  - https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
+author: frack113
+logsource:
+  category: registry_set
+  product: windows
+detection:
+  selection:
+    EventType: SetValue
+    TargetObject|contains: '\SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC'
+  condition: selection
+falsepositives:
+  - Unknown
+level: high
+tags:
+  - attack.command_and_control
+  - attack.t1105