diff --git a/rules/windows/network_connection/net_connection_win_script.yml b/rules/windows/network_connection/net_connection_win_script.yml
new file mode 100644
index 000000000..e323a992f
--- /dev/null
+++ b/rules/windows/network_connection/net_connection_win_script.yml
@@ -0,0 +1,24 @@
+title: Script Initiated Connection
+id: 08249dc0-a28d-4555-8ba5-9255a198e08c
+status: experimental
+description: Adversaries may use script to download malicious payloads.
+author: frack113
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
+date: 2022/08/28
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    selection:
+        Initiated: 'true'
+        Image|endswith: 
+            - '\wscript.exe'
+            - '\cscript.exe'
+    condition: selection
+falsepositives:
+    - Legitimate script over networks
+level: medium
+tags:
+    - attack.command_and_control
+    - attack.t1105
diff --git a/rules/windows/process_creation/proc_creation_win_nimgrab.yml b/rules/windows/process_creation/proc_creation_win_nimgrab.yml
new file mode 100644
index 000000000..b6b9c7688
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_nimgrab.yml
@@ -0,0 +1,30 @@
+title: Nimgrab Download File
+id: 74a12f18-505c-4114-8d0b-8448dd5485c6
+status: experimental
+description: Detects usage of nimgrab downloading a file 
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
+date: 2022/08/28
+author: frack113
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_name:
+        Image|endswith: '\nimgrab.exe'
+    selection_hashes:
+        Hashes|contains:
+            - MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B
+            - SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
+            - IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45
+    selection_hash:
+        - md5: 2DD44C3C29D667F5C0EF5F9D7C7FFB8B
+        - sha256: F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
+        - imphash: C07FDDD21D123EA9B3A08EEF44AAAC45   
+    condition: 1 of selection_*
+falsepositives:
+    - Legitimate use
+level: medium
+tags:
+    - attack.command_and_control
+    - attack.t1105
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml
new file mode 100644
index 000000000..827994f78
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml
@@ -0,0 +1,27 @@
+title: COM Hijacking via TreatAs
+id: dc5c24af-6995-49b2-86eb-a9ff62199e82
+description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command
+author: frack113
+date: 2022/08/28
+status: experimental
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|endswith: 'TreatAs\(Default)'
+    filter_office:
+        Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
+        Image|endswith: '\OfficeClickToRun.exe'
+    filter_office2:
+        Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
+    condition: selection and not 1 of filter_*
+falsepositives:
+    - Legitimate use.
+level: medium
+tags:
+  - attack.persistence
+  - attack.t1546.015
\ No newline at end of file