diff --git a/rules/windows/process_creation/proc_creation_win_double_ext_parent.yml b/rules/windows/process_creation/proc_creation_win_double_ext_parent.yml
new file mode 100644
index 000000000..18add77a0
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_double_ext_parent.yml
@@ -0,0 +1,24 @@
+title: Suspicious Double File Extention in ParentCommandLine
+id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c
+status: experimental
+description: Detect when in suspicious Double File Extension is use in the ParentCommandLine
+references:
+    - https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68
+author: frack113
+date: 2023/01/06
+tags:
+    - attack.defense_evasion
+    - attack.t1036.007 
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentCommandLine|contains: 
+            - '.doc.lnk'
+            - '.docx.lnk'
+            - '.pdf.lnk'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high