diff --git a/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml
new file mode 100644
index 000000000..3a35b6a6c
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml
@@ -0,0 +1,26 @@
+title: 3Proxy Usage
+id: f38a82d2-fba3-4781-b549-525efbec8506
+status: experimental
+description: Detects the use of 3proxy, a tiny free proxy server
+author: Florian Roth
+date: 2022/09/13
+references:
+   - https://github.com/3proxy/3proxy
+   - https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
+tags:
+   - attack.command_and_control
+   - attack.t1572
+logsource:
+   category: process_creation
+   product: windows
+detection:
+   selection:
+      Image|endswith: '\3proxy.exe'
+   selection_pe:
+      Description: '3proxy - tiny proxy server'
+   selection_params: # param combos seen in the wild
+      CommandLine|contains: '.exe -i127.0.0.1 -p'
+   condition: 1 of selection
+falsepositives:
+   - Administrative activity
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml
index db964e3ad..81ef7abf7 100644
--- a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml
+++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml
@@ -15,8 +15,8 @@ logsource:
     product: windows
 detection:
     selection:
-        Image|endswith: '\dllhost.exe'
-        ParentCommandLine: 
+        PranetImage|endswith: '\dllhost.exe'
+        ParentCommandLine|contains:
             - '/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
             - '/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}'
     filter: