diff --git a/Campaigns/apt ta17 293a ps.txt b/Campaigns/apt ta17 293a ps.txt
new file mode 100644
index 00000000..727a6132
--- /dev/null
+++ b/Campaigns/apt ta17 293a ps.txt	
@@ -0,0 +1,6 @@
+// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_ta17_293a_ps.yml
+// Questions via Twitter: @janvonkirchheim
+DeviceProcessEvents 
+| where Timestamp > ago(7d)
+| where ProcessCommandLine =~ "ps.exe -accepteula"
+| top 100 by Timestamp desc