diff --git a/rules/windows/process_creation/proc_creation_win_sysnative.yml b/rules/windows/process_creation/proc_creation_win_sysnative.yml
new file mode 100644
index 000000000..08db33cb5
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_sysnative.yml
@@ -0,0 +1,23 @@
+title: Process Creation using Sysnative Folder
+id: 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab
+status: experimental
+description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
+references:
+    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
+author: Max Altgelt
+date: 2022/08/23
+tags:
+    - attack.t1055
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    sysnative:
+        CommandLine|startswith: 'C:\Windows\Sysnative\'
+    condition: sysnative
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unknown
+level: medium
\ No newline at end of file