diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml
new file mode 100644
index 000000000..a7b322612
--- /dev/null
+++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml
@@ -0,0 +1,27 @@
+title: Remote Thread Created In Shell Application
+id: a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f
+status: experimental
+description: |
+    Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE".
+    It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.
+references:
+    - https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/
+    - https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/
+author: Splunk Research Team
+date: 2024/07/29
+tags:
+    - attack.defense_evasion
+    - attack.t1055
+logsource:
+    product: windows
+    category: create_remote_thread
+detection:
+    selection:
+        TargetImage|endswith:
+            - '\cmd.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium