diff --git a/rules/windows/process_creation/win_malware_dtrack.yml b/rules/windows/process_creation/win_malware_dtrack.yml
new file mode 100644
index 000000000..3b532a1d2
--- /dev/null
+++ b/rules/windows/process_creation/win_malware_dtrack.yml
@@ -0,0 +1,21 @@
+title: DTRACK Process Creation
+status: experimental
+description: Detects specific process parameters as seen in DTRACK infections
+author: Florian Roth
+date: 2019/10/30
+references:
+    - https://securelist.com/my-name-is-dtrack/93338/
+    - https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine: '* echo EEEE > *'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unlikely
+level: critical