diff --git a/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml b/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml
new file mode 100644
index 000000000..3ab241a79
--- /dev/null
+++ b/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml
@@ -0,0 +1,22 @@
+title: KrbRelayUp Service Installation
+id: e97d9903-53b2-41fc-8cb9-889ed4093e80
+status: experimental
+description: Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)
+author: Sittikorn S
+date: 2022/05/11
+references:
+  - https://github.com/Dec0ne/KrbRelayUp
+logsource:
+  product: windows
+  category: system
+detection:
+  selection:
+    EventID: '7045'
+    ServiceName: 'KrbSCM'
+  condition: selection
+falsepositives:
+  - Unknown
+level: high
+tags:
+  - attack.privilege_escalation
+  - attack.t1543