diff --git a/rules/windows/builtin/win_susp_psexec.yml b/rules/windows/builtin/win_susp_psexec.yml
new file mode 100644
index 000000000..3e79043a6
--- /dev/null
+++ b/rules/windows/builtin/win_susp_psexec.yml
@@ -0,0 +1,28 @@
+title: Suspicious PsExec execution
+description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
+author: Samir Bousseaden
+references:
+    - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
+tags:
+    - attack.lateral_movement
+    - attack.T1077
+logsource:
+    product: windows
+    service: security
+    description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
+detection:
+    selection1:
+        EventID: 5145
+        ShareName: \\*\IPC$
+        RelativeTargetName:
+         - '*-stdin'
+         - '*-stdout'
+         - '*-stderr'
+    selection2:
+        EventID: 5145
+        ShareName: \\*\IPC$
+        RelativeTargetName: 'PSEXESVC*'
+    condition: selection1 and not selection2
+falsepositives: 
+    - nothing observed so far
+level: high