diff --git a/rules/windows/builtin/system/win_system_anydesk_service_installation.yml b/rules/windows/builtin/system/win_system_service_install_anydesk.yml
similarity index 100%
rename from rules/windows/builtin/system/win_system_anydesk_service_installation.yml
rename to rules/windows/builtin/system/win_system_service_install_anydesk.yml
diff --git a/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml b/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml
new file mode 100644
index 000000000..2d51a1dad
--- /dev/null
+++ b/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml
@@ -0,0 +1,25 @@
+title: Mesh Agent Service Installation
+id: e0d1ad53-c7eb-48ec-a87a-72393cc6cedc
+status: experimental
+description: Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers
+references:
+    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
+author: Nasreddine Bencherchali
+date: 2022/11/28
+tags:
+    - attack.command_and_control
+    - attack.t1219
+logsource:
+    product: windows
+    service: system
+detection:
+    selection_root:
+        Provider_Name: 'Service Control Manager'
+        EventID: 7045
+    selection_service:
+        - ImagePath|contains: 'MeshAgent.exe'
+        - ServiceName|contains: 'Mesh Agent'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use of the tool
+level: medium
diff --git a/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml b/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml
new file mode 100644
index 000000000..ea4a33722
--- /dev/null
+++ b/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml
@@ -0,0 +1,25 @@
+title: TacticalRMM Service Installation
+id: 4bb79b62-ef12-4861-981d-2aab43fab642
+status: experimental
+description: Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.
+references:
+    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
+author: Nasreddine Bencherchali
+date: 2022/11/28
+tags:
+    - attack.command_and_control
+    - attack.t1219
+logsource:
+    product: windows
+    service: system
+detection:
+    selection_root:
+        Provider_Name: 'Service Control Manager'
+        EventID: 7045
+    selection_service:
+        - ImagePath|contains: 'tacticalrmm.exe'
+        - ServiceName|contains: 'TacticalRMM Agent Service'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use of the tool
+level: medium
diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_vuln_drivers.yml
index d544236f3..5d9bf7866 100644
--- a/rules/windows/driver_load/driver_load_vuln_drivers.yml
+++ b/rules/windows/driver_load/driver_load_vuln_drivers.yml
@@ -21,7 +21,7 @@ references:
     - https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part
 author: Nasreddine Bencherchali
 date: 2022/08/18
-modified: 2022/11/28
+modified: 2022/11/29
 tags:
     - attack.privilege_escalation
     - attack.t1543.003
@@ -287,6 +287,13 @@ detection:
             # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part
             # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys
             - 'SHA1=06232f7ea7ea24102d452427aedbbc8b8e188a0c'
+            # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde
+            - 'SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962'
+            - 'SHA1=4927d843577bada119a17b249ff4e7f5e9983a92'
+            - 'SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1'
+            - 'SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f'
+            - 'SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327'
+            - 'SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e'
             # The list below is from https://github.com/namazso/physmem_drivers
             - 'SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748'
             - 'SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA'
@@ -540,6 +547,13 @@ detection:
             # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part
             # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys
             - 'SHA256=5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e'
+            # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde
+            - 'SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4'
+            - 'SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230'
+            - 'SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56'
+            - 'SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f'
+            - 'SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184'
+            - 'SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d'
     selection_other:
         - SHA1:
             # The list below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT
@@ -798,6 +812,13 @@ detection:
             # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part
             # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys
             - '06232f7ea7ea24102d452427aedbbc8b8e188a0c'
+            # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde
+            - 'a380aeb3ffaecc53ca48bb1d4d622c46f1de7962'
+            - '4927d843577bada119a17b249ff4e7f5e9983a92'
+            - 'e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1'
+            - '3ccf1f3ac636a5e21b39ede48ff49fa23e05413f'
+            - '755349d56cdd668ca22eebc4fc89f0cccef47327'
+            - '56af49e030eb85528e82849d7d1b6147f3c4973e'
         - SHA256:
             # The list below is from https://github.com/namazso/physmem_drivers
             - '04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162'
@@ -1059,6 +1080,13 @@ detection:
             # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part
             # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys
             - '5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e'
+            # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde
+            - 'e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4'
+            - '7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230'
+            - '97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56'
+            - '8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f'
+            - '09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184'
+            - '2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d'
     condition: 1 of selection*
 falsepositives:
     - Unknown
diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml
index 36e520478..07d18c8ef 100644
--- a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml
+++ b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml
@@ -20,7 +20,7 @@ references:
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969
 author: Nasreddine Bencherchali
 date: 2022/10/03
-modified: 2022/10/17
+modified: 2022/11/29
 tags:
     - attack.privilege_escalation
     - attack.t1543.003
@@ -203,6 +203,11 @@ detection:
             - '\ohm.sys'
             - '\sensorsview32_64.sys'
             - '\touchpointanalyticsclient.sys'
+            # PowerTool driver (kEvP64) renames from VT
+            - '\CQg5Jf.sys'
+            - '\HCdRDh.sys'
+            - '\NcDgDn.sys'
+            - '\vLTZ19.sys'
     condition: selection
 falsepositives:
     - Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
diff --git a/rules/windows/process_creation/proc_creation_win_powertool_execution.yml b/rules/windows/process_creation/proc_creation_win_powertool_execution.yml
new file mode 100644
index 000000000..89f26df5e
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_powertool_execution.yml
@@ -0,0 +1,27 @@
+title: PowerTool Execution
+id: a34f79a3-8e5f-4cc3-b765-de00695452c2
+status: experimental
+description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files
+references:
+    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
+    - https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html
+    - https://twitter.com/gbti_sa/status/1249653895900602375?lang=en
+    - https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml
+author: Nasreddine Bencherchali
+date: 2022/11/29
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        - Image|endswith:
+            - '\PowerTool.exe'
+            - '\PowerTool64.exe'
+        - OriginalFileName: 'PowerTool.exe'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml b/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml
index e909bcbd2..dabffeceb 100644
--- a/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml
+++ b/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml
@@ -1,11 +1,12 @@
 title: Raspberry Robin Dot Ending File
 id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a
 status: experimental
-description: Detects commandline containing reference to files ending with a ".". This scheme has been seen used by raspberry-robin
+description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
 author: Nasreddine Bencherchali
 references:
     - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
 date: 2022/10/28
+modified: 2022/11/28
 tags:
     - attack.execution
 logsource:
@@ -16,7 +17,7 @@ detection:
         # Example 1: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-3f-raspberryrobin-runonce.png
         # Example 2: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-5f-odbcconf.png
         # Example 3: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-6f-fauppod-command-line.png
-        CommandLine|re: "\\.[a-zA-Z0-9]{1,6}\\.[ |\"|']{0,1}"
+        CommandLine|re: "\\.[a-zA-Z0-9]{1,6}\\.[ |\"|']{1}"
     filter:
         # This filter is used to exclude double extension files
         CommandLine|re: "\\.[a-zA-Z0-9]{1,6}\\.[a-zA-Z0-9]{1}"