diff --git a/experimental.rules b/experimental.rules
index 1f49e30..5ce421e 100644
--- a/experimental.rules
+++ b/experimental.rules
@@ -35,3 +35,4 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPERIMENTAL (data) downl
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPERIMENTAL (data) download with high entropy from dotted-quad host"; flow:from_server,established; filesize:>10240; filemagic:"data"; filemagic:!" data"; flowbits:isset,http.dottedquadhost; luajit:suri-high-entropy.lua; classtype:bad-unknown; sid:380000016; rev:1;)
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPERIMENTAL XORed binary after plugin file download"; flow:from_server,established; file_data; content:!"MZ"; within:2; xbits:isset,ET.pluginfile,track ip_pair; luajit:suri-xor-binary-quick.lua; classtype:bad-unknown; sid:380000017; rev:1;)
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPERIMENTAL PE EXE or DLL binary after plugin file download"; flow:from_server,established; flowbits:isset,ET.http.binary; xbits:isset,ET.pluginfile,track ip_pair; threshold: type both, count 1, seconds 120, track by_src; classtype:bad-unknown; sid:380000018; rev:1;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPERIMENTAL JS ShellWindows/AddInProcess Win10 DeviceGuardBypass Inbound"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|7b|9BA05972-F6A8-11CF-A442-00A0C90A8F39|7d|"; nocase; fast_pattern; content:"AddInProcess"; content:"|2f|guid|3a|"; distance:0; content:"|2f|pid|3a|"; distance:0; content:"Windows|5c 5c|Microsoft.Net|5c 5c|"; distance:0; classtype:trojan-activity; sid:90000000; rev:1;)