diff --git a/rules/apt/apt_dragonfly.yml b/rules/apt/apt_dragonfly.yml
new file mode 100644
index 000000000..e65945a23
--- /dev/null
+++ b/rules/apt/apt_dragonfly.yml
@@ -0,0 +1,45 @@
+
+action: global
+title: CrackMapExecWin 
+description: Detects CrackMapExecWin Activity as Described by NCSC
+status: experimental
+references:
+    - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control 
+author: Markus Neis
+detection:
+    selection1:
+        CommandLine:
+            - '*\crackmapexec.exe'
+    condition: 1 of them
+falsepositives: 
+    - None 
+level: critical
+---
+# Windows Audit Log
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection1:
+        # Requires group policy 'Audit Process Creation' > Include command line in process creation events
+        EventID: 4688
+    selection2:
+        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
+        EventID: 4688
+        NewProcessName:
+            - '*\crackmapexec.exe'
+---
+# Sysmon
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        # Requires group policy 'Audit Process Creation' > Include command line in process creation events
+        EventID: 1
+    selection2:
+        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
+        EventID: 1
+        Image:
+            - '*\crackmapexec.exe'