diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml
new file mode 100644
index 000000000..3fb6272ad
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_dxcap.yml
@@ -0,0 +1,22 @@
+title: Bypassing Application Whitelisting by using dxcap.exe
+status: experimental
+description:  Local execution of a process as a subprocess of Dxcap.exe
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml
+    - https://twitter.com/harr0ey/status/992008180904419328
+author: Beyu Denis
+date: 2019/10/26
+tags:
+    - attack.persistence
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+detection:
+  selection:
+    Image: '*\dxcap.exe'
+    CommandLine: '* -c *'
+  condition: selection
+falsepositives:
+    - Unknown
+