diff --git a/rules/windows/process_creation/win_pc_susp_reg_bitlocker.yml b/rules/windows/process_creation/win_pc_susp_reg_bitlocker.yml
new file mode 100644
index 000000000..5949587fa
--- /dev/null
+++ b/rules/windows/process_creation/win_pc_susp_reg_bitlocker.yml
@@ -0,0 +1,36 @@
+title: Suspicious Reg Add BitLocker
+id: 0e0255bf-2548-47b8-9582-c0955c9283f5
+status: experimental
+description: Suspicious add key for BitLocker
+references:
+    - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
+tags:
+    - attack.impact
+    - attack.t1486
+author: frack113
+date: 2021/11/15
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    set:
+        CommandLine|contains|all:
+            - 'REG'
+            - 'ADD'
+            - 'HKLM\SOFTWARE\Policies\Microsoft\FVE'
+            - '/v'
+            - '/f'
+    key:
+        CommandLine|contains:
+            - 'EnableBDEWithNoTPM'
+            - 'UseAdvancedStartup'
+            - 'UseTPM'
+            - 'UseTPMKey'
+            - 'UseTPMKeyPIN'
+            - 'RecoveryKeyMessageSource'
+            - 'UseTPMPIN'
+            - 'RecoveryKeyMessage'
+    condition: set and key
+falsepositives:
+    - unknown
+level: medium