diff --git a/rules/windows/process_creation/win_nltest_query b/rules/windows/process_creation/win_nltest_query
new file mode 100644
index 000000000..5d61c1811
--- /dev/null
+++ b/rules/windows/process_creation/win_nltest_query
@@ -0,0 +1,25 @@
+title: Nltest Credential Hash Theft
+description: Detects nltest query commands which may leak credential hashes
+references:
+    - https://twitter.com/sysopfb/status/986799053668139009
+date: 2018/04/18
+modified: 2020/10/06
+tags:
+    - attack.credential_access
+    - attack.t1003
+status: experimental
+author: Craig Young
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_1:
+        CommandLine|contains:
+            - nltest
+    selection_2:
+        CommandLine|contains:
+            - \query
+    condition: selection_1 and selection_2
+falsepositives:
+    - Legitimate administration
+level: medium