diff --git a/rules/windows/process_creation/win_susp_psexex_paexec_escalate_system.yml b/rules/windows/process_creation/win_susp_psexex_paexec_escalate_system.yml
new file mode 100644
index 000000000..1d194067c
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_psexex_paexec_escalate_system.yml
@@ -0,0 +1,29 @@
+title: PsExec/PAExec Escalation to LOCAL SYSTEM
+id: 8834e2f7-6b4b-4f09-8906-d2276470ee23
+status: experimental
+description: Detects suspicious flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
+references:
+    - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
+    - https://www.poweradmin.com/paexec/
+    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+author: Florian Roth
+date: 2021/11/23
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cmd_to_system: # Escalation to LOCAL_SYSTEM
+        CommandLine|endswith: ' -s cmd.exe'
+    selection_supporting_flags:
+        CommandLine|contains:
+            - 'PsExec'
+            - 'PAExec'
+            - 'accepteula'
+            - 'cmd /c '
+    condition: selection_supporting_flags and selection_cmd_to_system 
+falsepositives:
+    - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare) 
+level: high
+tags:
+    - attack.develop_capabilities
+    - attack.t1587.001
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml b/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml
index 51926aa0f..c6b92318d 100644
--- a/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml
+++ b/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml
@@ -8,21 +8,19 @@ references:
     - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
 author: Florian Roth
 date: 2021/05/22
+modified: 2021/11/23
 logsource:
     category: process_creation
     product: windows
 detection:
     selection_flags_1: # Escalation to LOCAL_SYSTEM
-        CommandLine|contains|all: 
-            - '\\127.0.0.1'
-            - ' -s '
-            - 'cmd.exe'
+        CommandLine|endswith: ' -s cmd.exe'
     selection_flags_2:
         CommandLine|contains|all: # Accepting EULA in commandline - often used in automated attacks
-            - ' /accepteula '
-            - 'cmd /c '
+            - 'accepteula'
             - ' -u '
             - ' -p '
+            - ' \\'
     filter:
         CommandLine|contains: 
             - 'paexec'