diff --git a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml
new file mode 100644
index 000000000..a876d74a3
--- /dev/null
+++ b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml
@@ -0,0 +1,25 @@
+title: Potential NT API Stub Patching
+id: b916cba1-b38a-42da-9223-17114d846fd6
+status: experimental
+description: Detects potential NT API stub patching as seen used by the project PatchingAPI
+references:
+    - https://github.com/D1rkMtr/UnhookingPatch
+    - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
+author: frack113
+date: 2023/01/07
+tags:
+    - attack.defense_evasion
+    - attack.t1562.002
+logsource:
+    category: process_access
+    product: windows
+detection:
+    selection:
+        GrantedAccess: '0x1FFFFF'
+        CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+'
+        CallTrace|contains: '|UNKNOWN('
+        CallTrace|endswith: ')'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium