diff --git a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml
new file mode 100644
index 000000000..89382b90c
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml
@@ -0,0 +1,23 @@
+title: Malicious PE Execution by Microsoft Visual Studio Debugger
+id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2
+status: experimental
+description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package. 
+references:
+  - https://twitter.com/pabraeken/status/990758590020452353
+  - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Vsjitdebugger.yml
+  - https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
+tags:
+    - attack.t1218
+author: Agro (@agro_sev) oscd.community
+date: 2020/10/14
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:        
+        ParentImage|endswith: '\vsjitdebugger.exe'
+    condition: selection
+falsepositives:
+    - the process spawned by vsjitdebugger.exe is uncommon. 
+level: medium 
+