diff --git a/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml
new file mode 100644
index 000000000..f0064816b
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml
@@ -0,0 +1,28 @@
+title: Regsvr32 Flags Anomaly
+id: b236190c-1c61-41e9-84b3-3fe03f6d76b0
+status: experimental
+description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time
+author: Florian Roth
+date: 2019/07/13
+references:
+    - https://twitter.com/sbousseaden/status/1282441816986484737?s=12
+tags:
+    - attack.t1117
+    - attack.defense_evasion
+    - attack.t1218.010
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\regsvr32.exe'
+        CommandLine|contains: ' /i:'
+    filter:
+        CommandLine|contains: ' /n '
+    condition: selection and not filter
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unknown
+level: high