diff --git a/rules/windows/process_creation/proc_creation_win_susp_NtlmRelay.yml b/rules/windows/process_creation/proc_creation_win_susp_NtlmRelay.yml
new file mode 100644
index 000000000..3bddf3897
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_susp_NtlmRelay.yml
@@ -0,0 +1,30 @@
+title: Suspicious WebDav Client Execution
+id: bb76d96b-821c-47cf-944b-7ce377864492
+status: experimental
+description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
+author: Elastic (idea), Tobias Michalski
+references:
+  - https://twitter.com/med0x2e/status/1520402518685200384
+  - https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
+date: 2022/05/04
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    Image|endswith: '\rundll32.exe'
+    CommandLine|contains|all:
+      - 'C:\windows\system32\davclnt.dll,DavSetCookie'
+      - "http"
+    CommandLine|contains:
+      - "spoolss"
+      - "srvsvc"
+      - "/print/pipe/"
+  condition: selection
+falsepositives:
+  - Unknown
+level: high
+tags:
+  - attack.ta0004
+  - attack.ta0006
+  - attack.t1212