diff --git a/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml b/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml
new file mode 100644
index 000000000..e0fbfe4ae
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml
@@ -0,0 +1,124 @@
+title: Malicious PowerShell Commandlet Names
+status: experimental
+description: Detects the creation of known powershell scripts for exploitation
+references:
+    - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
+author: Markus Neis
+date: 2018/04/07
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 11
+        TargetFilename:
+            - '*\Invoke-DllInjection.ps1'   
+            - '*\Invoke-WmiCommand.ps1'
+            - '*\Get-GPPPassword.ps1'
+            - '*\Get-Keystrokes.ps1'
+            - '*\Get-VaultCredential.ps1'
+            - '*\Invoke-CredentialInjection.ps1'
+            - '*\Invoke-Mimikatz.ps1'
+            - '*\Invoke-NinjaCopy.ps1'
+            - '*\Invoke-TokenManipulation.ps1'
+            - '*\Out-Minidump.ps1'
+            - '*\VolumeShadowCopyTools.ps1'
+            - '*\Invoke-ReflectivePEInjection.ps1'
+            - '*\Get-TimedScreenshot.ps1'
+            - '*\Invoke-UserHunter.ps1'
+            - '*\Find-GPOLocation.ps1'
+            - '*\Invoke-ACLScanner.ps1'
+            - '*\Invoke-DowngradeAccount.ps1'
+            - '*\Get-ServiceUnquoted.ps1'
+            - '*\Get-ServiceFilePermission.ps1'
+            - '*\Get-ServicePermission.ps1'
+            - '*\Invoke-ServiceAbuse.ps1'
+            - '*\Install-ServiceBinary.ps1'
+            - '*\Get-RegAutoLogon.ps1'
+            - '*\Get-VulnAutoRun.ps1'
+            - '*\Get-VulnSchTask.ps1'
+            - '*\Get-UnattendedInstallFile.ps1'
+            - '*\Get-WebConfig.ps1'
+            - '*\Get-ApplicationHost.ps1'
+            - '*\Get-RegAlwaysInstallElevated.ps1'
+            - '*\Get-Unconstrained.ps1'
+            - '*\Add-RegBackdoor.ps1'
+            - '*\Add-ScrnSaveBackdoor.ps1'
+            - '*\Gupt-Backdoor.ps1'
+            - '*\Invoke-ADSBackdoor.ps1'
+            - '*\Enabled-DuplicateToken.ps1'
+            - '*\Invoke-PsUaCme.ps1'
+            - '*\Remove-Update.ps1'
+            - '*\Check-VM.ps1'
+            - '*\Get-LSASecret.ps1'
+            - '*\Get-PassHashes.ps1'
+            - '*\Invoke-Mimikatz.ps1'
+            - '*\Show-TargetScreen.ps1'
+            - '*\Port-Scan.ps1'
+            - '*\Invoke-PoshRatHttp.ps1'
+            - '*\Invoke-PowerShellTCP.ps1'
+            - '*\Invoke-PowerShellWMI.ps1'
+            - '*\Add-Exfiltration.ps1'
+            - '*\Add-Persistence.ps1'
+            - '*\Do-Exfiltration.ps1'
+            - '*\Start-CaptureServer.ps1'
+            - '*\Invoke-DllInjection.ps1'
+            - '*\Invoke-ReflectivePEInjection.ps1'
+            - '*\Invoke-ShellCode.ps1'
+            - '*\Get-ChromeDump.ps1'
+            - '*\Get-ClipboardContents.ps1'
+            - '*\Get-FoxDump.ps1'
+            - '*\Get-IndexedItem.ps1'
+            - '*\Get-Keystrokes.ps1'
+            - '*\Get-Screenshot.ps1'
+            - '*\Invoke-Inveigh.ps1'
+            - '*\Invoke-NetRipper.ps1'
+            - '*\Invoke-NinjaCopy.ps1'
+            - '*\Out-Minidump.ps1'
+            - '*\Invoke-EgressCheck.ps1'
+            - '*\Invoke-PostExfil.ps1'
+            - '*\Invoke-PSInject.ps1'
+            - '*\Invoke-RunAs.ps1'
+            - '*\MailRaider.ps1'
+            - '*\New-HoneyHash.ps1'
+            - '*\Set-MacAttribute.ps1'
+            - '*\Get-VaultCredential.ps1'
+            - '*\Invoke-DCSync.ps1'
+            - '*\Invoke-Mimikatz.ps1'
+            - '*\Invoke-PowerDump.ps1'
+            - '*\Invoke-TokenManipulation.ps1'
+            - '*\Exploit-Jboss.ps1'
+            - '*\Invoke-ThunderStruck.ps1'
+            - '*\Invoke-VoiceTroll.ps1'
+            - '*\Set-Wallpaper.ps1'
+            - '*\Invoke-InveighRelay.ps1'
+            - '*\Invoke-PsExec.ps1'
+            - '*\Invoke-SSHCommand.ps1'
+            - '*\Get-SecurityPackages.ps1'
+            - '*\Install-SSP.ps1'
+            - '*\Invoke-BackdoorLNK.ps1'
+            - '*\PowerBreach.ps1'
+            - '*\Get-GPPPassword.ps1'
+            - '*\Get-SiteListPassword.ps1'
+            - '*\Get-System.ps1'
+            - '*\Invoke-BypassUAC.ps1'
+            - '*\Invoke-Tater.ps1'
+            - '*\Invoke-WScriptBypassUAC.ps1'
+            - '*\PowerUp.ps1'
+            - '*\PowerView.ps1'
+            - '*\Get-RickAstley.ps1'
+            - '*\Find-Fruit.ps1'
+            - '*\HTTP-Login.ps1'
+            - '*\Find-TrustedDocuments.ps1'
+            - '*\Invoke-Paranoia.ps1'
+            - '*\Invoke-WinEnum.ps1'
+            - '*\Invoke-ARPScan.ps1'
+            - '*\Invoke-PortScan.ps1'
+            - '*\Invoke-ReverseDNSLookup.ps1'
+            - '*\Invoke-SMBScanner.ps1'
+            - '*\Invoke-Mimikittenz.ps1'
+    condition: selection
+falsepositives:
+    - Penetration Tests
+level: high
+        
diff --git a/rules/windows/sysmon/sysmon_susp_image_load.yml b/rules/windows/sysmon/sysmon_susp_image_load.yml
new file mode 100644
index 000000000..d7295ab6a
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_susp_image_load.yml
@@ -0,0 +1,22 @@
+title: Possible Process Hollowing Image Loading 
+status: experimental
+description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
+references:
+    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
+author: Markus Neis
+date: 2018/01/07
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\notepad.exe'
+        ImageLoaded:
+            - '*\samlib.dll'
+            - '*\WinSCard.dll'
+    condition: selection
+falsepositives:
+    - Very likely, needs more tuning
+level: high