diff --git a/rules/windows/file_event/win_fe_susp_desktop_txt.yml b/rules/windows/file_event/win_fe_susp_desktop_txt.yml
new file mode 100644
index 000000000..a80a8876c
--- /dev/null
+++ b/rules/windows/file_event/win_fe_susp_desktop_txt.yml
@@ -0,0 +1,25 @@
+title: Suspicious Creation TXT File in User Desktop
+id: caf02a0a-1e1c-4552-9b48-5e070bd88d11
+status: experimental
+description: Ransomware create txt file in the user Desktop
+author: frack113
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note
+date: 2021/12/26
+logsource:
+  product: windows
+  category: file_event
+detection:
+  selection:
+    Image|endswith: \cmd.exe 
+    TargetFilename|contains|all:
+        - \Users\
+        - \Desktop\
+    TargetFilename|endswith: .txt
+  condition: selection
+falsepositives:
+  - Unknown
+level: medium
+tags:
+  - attack.impact
+  - attack.t1486
diff --git a/rules/windows/powershell/powershell_script/powershell_ps_susp_remove_adgroupmember.yml b/rules/windows/powershell/powershell_script/powershell_ps_susp_remove_adgroupmember.yml
new file mode 100644
index 000000000..dfc884d48
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/powershell_ps_susp_remove_adgroupmember.yml
@@ -0,0 +1,28 @@
+title: Remove Account From Domain Admin Group
+id: 48a45d45-8112-416b-8a67-46e03a4b2107
+status: experimental
+author: frack113
+date: 2021/12/26
+description: |
+  Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
+  Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. 
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'Remove-ADGroupMember'
+            - '-Identity '
+            - '-Members ' 
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
+tags:
+    - attack.impact
+    - attack.t1531
+
diff --git a/rules/windows/powershell/powershell_script/powershell_ps_susp_wallpaper.yml b/rules/windows/powershell/powershell_script/powershell_ps_susp_wallpaper.yml
new file mode 100644
index 000000000..543556f4c
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/powershell_ps_susp_wallpaper.yml
@@ -0,0 +1,31 @@
+title: Replace Desktop Wallpaper by Powershell
+id: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287
+status: experimental
+author: frack113
+date: 2021/12/26
+description: |
+    An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.
+    This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection_1:
+        ScriptBlockText|contains|all:
+            - 'Get-ItemProperty'
+            - 'Registry::'
+            - 'HKEY_CURRENT_USER\Control Panel\Desktop\' 
+            - 'WallPaper'
+    selection_2:
+        ScriptBlockText|contains: SystemParametersInfo(20,0,*,3)
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+level: low
+tags:
+    - attack.impact
+    - attack.t1491.001
+
diff --git a/rules/windows/powershell/powershell_script/powershell_ps_susp_win32_shadowcopy.yml b/rules/windows/powershell/powershell_script/powershell_ps_susp_win32_shadowcopy.yml
new file mode 100644
index 000000000..f4f43c161
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/powershell_ps_susp_win32_shadowcopy.yml
@@ -0,0 +1,25 @@
+title: Delete Volume Shadow Copies via WMI with PowerShell
+id: e17121b4-ef2a-4418-8a59-12fb1631fa9e
+status: experimental
+author: frack113
+date: 2021/12/26
+description: Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'Get-WmiObject'
+            - 'Win32_Shadowcopy'
+            - '.Delete()' 
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.impact
+    - attack.t1490
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_pc_delete_systemstatebackup.yml b/rules/windows/process_creation/win_pc_delete_systemstatebackup.yml
new file mode 100644
index 000000000..2a81b81a7
--- /dev/null
+++ b/rules/windows/process_creation/win_pc_delete_systemstatebackup.yml
@@ -0,0 +1,30 @@
+title: Wbadmin Delete Systemstatebackup
+id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8
+status: experimental
+description: |
+  Deletes the Windows systemstatebackup using wbadmin.exe.
+  This technique is used by numerous ransomware families.
+  This may only be successful on server platforms that have Windows Backup enabled.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
+author: frack113
+date: 2021/12/13
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    wbadmin_exe: 
+        - image|endswith: \wbadmin.exe
+        - CommandLine|contains: wbadmin
+    wbadmin_cmd:
+        CommandLine|contains|all:
+            - 'delete '
+            - 'systemstatebackup '
+            - '-keepVersions:0'
+    condition: all of wbadmin_*
+falsepositives:
+    - unknown
+level: high
+tags:
+    - attack.impact
+    - attack.t1490
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_pc_susp_cipher.yml b/rules/windows/process_creation/win_pc_susp_cipher.yml
new file mode 100644
index 000000000..15c5bdfad
--- /dev/null
+++ b/rules/windows/process_creation/win_pc_susp_cipher.yml
@@ -0,0 +1,24 @@
+title: Overwrite Deleted Data with Cipher
+id: 4b046706-5789-4673-b111-66f25fe99534
+status: experimental
+description: |
+  Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
+  Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
+author: frack113
+date: 2021/12/26
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: \cipher.exe
+        CommandLine|contains: ' /w:'
+    condition: selection
+falsepositives:
+    - unknown
+level: medium
+tags:
+    - attack.impact
+    - attack.t1485
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_pc_susp_schtasks_disable.yml b/rules/windows/process_creation/win_pc_susp_schtasks_disable.yml
new file mode 100644
index 000000000..394bb15fe
--- /dev/null
+++ b/rules/windows/process_creation/win_pc_susp_schtasks_disable.yml
@@ -0,0 +1,28 @@
+title: Disable Important Scheduled Task
+id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980
+status: experimental
+description: Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.
+author: frack113
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task
+date: 2021/12/26
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    schtasks_exe:
+        Image|endswith: \schtasks.exe
+        CommandLine|contains|all: 
+            - /Change
+            - /TN
+            - /disable
+    #split to add other 
+    schtasks_name:
+        CommandLine|contains: '\Microsoft\Windows\SystemRestore\SR' 
+    condition: all of schtasks_*
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.impact
+    - attack.t1489
diff --git a/rules/windows/process_creation/win_pc_susp_taskkill.yml b/rules/windows/process_creation/win_pc_susp_taskkill.yml
new file mode 100644
index 000000000..f713c8f23
--- /dev/null
+++ b/rules/windows/process_creation/win_pc_susp_taskkill.yml
@@ -0,0 +1,24 @@
+title: Suspicious Execution of Taskkill
+id: 86085955-ea48-42a2-9dd3-85d4c36b167d
+status: experimental
+description: Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.
+author: frack113
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process
+date: 2021/12/26
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    taskkill:
+        Image|endswith: \taskkill.exe
+        CommandLine|contains|all: 
+            - /f 
+            - /im
+    condition: taskkill
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.impact
+    - attack.t1489