diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml
new file mode 100644
index 00000000..28e5e44f
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml
@@ -0,0 +1,42 @@
+action: global
+title: Invoke-Obfuscation Via Use Clip
+id: 63e3365d-4824-42d8-8b82-e56810fefa0c
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+falsepositives:
+    - Unknown
+level: high
+detection:
+    selection_1:
+        - ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
+    condition: selection and selection_1
+---
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        EventID: 7045
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 6
+---
+ logsource:
+     product: windows
+     service: security
+ detection:
+     selection:
+         EventID: 4697