diff --git a/rules-unsupported/win_access_fake_files_with_stored_credentials.yml b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml
new file mode 100644
index 000000000..c8f95ed78
--- /dev/null
+++ b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml
@@ -0,0 +1,29 @@
+title: Stored Credentials in Fake Files
+id: 692b979c-f747-41dc-ad72-1f11c01b110e
+description: Search for accessing of fake files with stored credentials
+status: experimental
+author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
+date: 2020/10/05
+references: 
+    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-13-638.jpg
+tags:
+    - attack.credential_access
+    - attack.t1555
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4663
+        AccessList|contains: '%%4416'
+        ObjectName|endswith:
+            - '\%POLICY_ID%\Machine\Preferences\Groups\Groups.xml'
+            - '\%FOLDER_NAME%\Unattend.xml'
+    condition: selection
+fields:
+    - EventID
+    - AccessList
+    - ObjectName
+falsepositives:
+    - Unknown
+level: high
\ No newline at end of file