diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml
new file mode 100644
index 000000000..3bb4c1aae
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml
@@ -0,0 +1,27 @@
+title: DNS Tunnel Technique from MuddyWater
+id: 36222790-0d43-4fe8-86e4-674b27809543
+description: Detecting DNS tunnel activity for Muddywater actor
+author: '@caliskanfurkan_'
+status: experimental
+date: 2020/06/04
+references:
+    - https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
+    - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html
+tags:
+    - attack.command_and_control
+    - attack.t1071
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\powershell.exe'
+        ParentImage|endswith:
+            - '\excel.exe'
+        CommandLine|contains:
+            - 'DataExchange.dll'
+    condition: selection
+falsepositives:
+    - Unkown
+level: critical