diff --git a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml
new file mode 100644
index 000000000..c2235ff87
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml
@@ -0,0 +1,28 @@
+title: Powershell MsXml COM Object
+id: 78aa1347-1517-4454-9982-b338d6df8343
+status: experimental
+description: |
+  Adversaries may abuse PowerShell commands and scripts for execution.
+  PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
+  Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
+author: frack113
+date: 2022/01/19
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt
+    - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)
+logsource:
+    product: windows
+    category: ps_script
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - New-Object
+            - '-ComObject'
+            - MsXml2.ServerXmlHttp
+    condition: selection
+falsepositives:
+  - legitimate administrative script
+level: medium
+tags:
+  - attack.execution
+  - attack.t1059.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml
new file mode 100644
index 000000000..23d0496ff
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml
@@ -0,0 +1,30 @@
+title: Powershell XML Execute Command
+id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b
+status: experimental
+description: |
+  Adversaries may abuse PowerShell commands and scripts for execution.
+  PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
+  Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
+author: frack113
+date: 2022/01/19
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests
+logsource:
+    product: windows
+    category: ps_script
+detection:
+    selection_xml:
+        ScriptBlockText|contains|all:
+            - New-Object
+            - System.Xml.XmlDocument
+            - .Load
+    selection_exec:
+            - IEX
+            - Invoke-Expression
+    condition: all of selection_*
+falsepositives:
+  - legitimate administrative script
+level: medium
+tags:
+  - attack.execution
+  - attack.t1059.001