diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml
new file mode 100644
index 000000000..36386c975
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml
@@ -0,0 +1,27 @@
+title: WMI Win32_Product Install MSI
+id: 91109523-17f0-4248-a800-f81d9e7c081d
+status: experimental
+description: Executes an MSI using the WMI Win32_Product class
+author: frack113
+date: 2022/04/24
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'Invoke-CimMethod '
+            - '-ClassName '
+            - 'Win32_Product '
+            - '-MethodName '
+            - '.msi'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1218.007