diff --git a/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml b/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
new file mode 100644
index 000000000..3928f1cb8
--- /dev/null
+++ b/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
@@ -0,0 +1,30 @@
+title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
+id: 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1
+status: experimental
+author: frack113
+date: 2021/07/16
+description: Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md
+tags:
+    - attack.defense_evasion
+    - attack.t1216
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    select_vbs:
+        CommandLine|contains: '\SyncAppvPublishingServer.vbs'
+    select_opt:
+        CommandLine|contains|all:
+            - '"n;'
+            - 'Start-Process '
+    condition: select_vbs and select_opt
+fields:
+    - ComputerName
+    - User
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unknow
+level: medium