diff --git a/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml b/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml
new file mode 100644
index 000000000..d9229ef1c
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml
@@ -0,0 +1,34 @@
+title: Suspicious Powercfg Execution To Change Lock Screen Timeout
+id: f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b
+status: experimental
+description: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout
+references:
+    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
+    - https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options
+author: frack113
+date: 2022/11/18
+tags:
+    - attack.defense_evasion
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_power:
+        - Image|endswith: '\powercfg.exe'
+        - OriginalFileName: 'PowerCfg.exe'
+    selection_standby:
+        # powercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK
+        - CommandLine|contains|all:
+            - '/setacvalueindex '
+            - 'SCHEME_CURRENT'
+            - 'SUB_VIDEO'
+            - 'VIDEOCONLOCK'
+        # powercfg -change -standby-timeout-dc 3000
+        # powercfg -change -standby-timeout-ac 3000
+        - CommandLine|contains|all:
+            - '-change '
+            - '-standby-timeout-' 
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium