diff --git a/rules/windows/file_event/file_event_win_word_template_creation.yml b/rules/windows/file_event/file_event_win_word_template_creation.yml
new file mode 100644
index 000000000..a94a226da
--- /dev/null
+++ b/rules/windows/file_event/file_event_win_word_template_creation.yml
@@ -0,0 +1,41 @@
+title: Office Template Creation
+id: 0e20c89d-2264-44ae-8238-aeeaba609ece
+status: experimental
+description: Detects creation of template files for Microsoft Office from outside Office
+author: Max Altgelt
+date: 2022/06/02
+references:
+   - https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies
+tags:
+   - attack.persistence
+   - attack.t1137
+logsource:
+   category: file_event
+   product: windows
+detection:
+   selection_word:
+      TargetFilename|endswith:
+         - .dot
+         - .dotm
+         - .doc
+         - .docm
+         - .docx
+         - .rtf
+      TargetFilename|contains: '\Microsoft\Word\Startup'
+   selection_excel:
+      TargetFilename|endswith:
+         - .xlt
+         - .xltm
+         - .xls
+         - .xlsm
+         - .xlsx
+      TargetFilename|contains: '\Microsoft\Excel\Startup'
+   filter_office:
+      Image|endswith:
+         - \WINWORD.exe
+         - \EXCEL.exe
+   condition: 1 of selection* and not filter_office
+falsepositives:
+    - Loading a user environment from a backup or a domain controller
+    - Synchronization of templates
+level: high