diff --git a/rules/windows/process_creation/proc_creation_win_nps.yml b/rules/windows/process_creation/proc_creation_win_nps.yml
new file mode 100644
index 000000000..1f517b76e
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_nps.yml
@@ -0,0 +1,37 @@
+title: NPS Tunneling Tool
+id: 68d37776-61db-42f5-bf54-27e87072d17e
+status: experimental
+description: Detects the use of NPS a port forwarding tool
+references:
+    - https://github.com/ehang-io/nps
+author: Florian Roth
+date: 2022/10/08
+tags:
+    - attack.command_and_control
+    - attack.t1090
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\npc.exe'
+    selection_commandline1:
+        CommandLine|contains|all:
+            - ' -server='
+            - ' -vkey='
+            - ' -password='
+    selection_commandline2:
+        CommandLine|contains: ' -config=npc'
+    selection_hashes:
+        # v0.26.10
+        - Hashes|contains:
+            - "MD5=AE8ACF66BFE3A44148964048B826D005"
+            - "SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181"
+            - "SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856"
+        - md5: 'ae8acf66bfe3a44148964048b826d005'
+        - sha1: 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181'
+        - sha256: '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856'
+    condition: 1 of selection*
+falsepositives:
+    - Legitimate use
+level: high