diff --git a/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml
new file mode 100644
index 000000000..3dd224222
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml
@@ -0,0 +1,35 @@
+title: HackTool - LocalPotato Execution
+id: 6bd75993-9888-4f91-9404-e1e4e4e34b77
+status: experimental
+description: Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
+references:
+    - https://www.localpotato.com/localpotato_html/LocalPotato.html
+    - https://github.com/decoder-it/LocalPotato
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/02/14
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - cve.2023.21746
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        Image|endswith: '\LocalPotato.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            - '.exe -i C:\'
+            - '-o Windows\'
+    selection_hash_plain:
+        Hashes|contains:
+            - 'IMPHASH=E1742EE971D6549E8D4D81115F88F1FC'
+            - 'IMPHASH=DD82066EFBA94D7556EF582F247C8BB5'
+    selection_hash_ext:
+        Imphash:
+            - 'E1742EE971D6549E8D4D81115F88F1FC'
+            - 'DD82066EFBA94D7556EF582F247C8BB5'
+    condition: 1 of selection_*
+falsepositives:
+    - Unlikely
+level: high