diff --git a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml
new file mode 100644
index 000000000..601a65f63
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml
@@ -0,0 +1,27 @@
+title: Wab Execution From Non Default Location
+id: 395907ee-96e5-4666-af2e-2ca91688e151
+status: experimental
+description: Detects execution of wab.exe (Windows Contacts) from non default locations as seen with bumblebee activity
+references:
+    - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
+    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
+author: Nasreddine Bencherchali
+date: 2022/08/12
+tags:
+    - attack.defense_evasion
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\wab.exe'
+    filter:
+        Image|startswith:
+            - 'C:\Windows\WinSxS\'
+            - 'C:\Program Files\Windows Mail\'
+            - 'C:\Program Files (x86)\Windows Mail\'
+    condition: selection and not filter
+falsepositives:
+    - Unlikely
+level: high