diff --git a/etc/non-ecs-schema.json b/etc/non-ecs-schema.json
index 607d4fc23..a3173e65b 100644
--- a/etc/non-ecs-schema.json
+++ b/etc/non-ecs-schema.json
@@ -37,7 +37,9 @@
         "TargetLogonId": "keyword",
         "TargetProcessGUID": "keyword",
         "TargetSid": "keyword", 
-	"PrivilegeList": "keyword"
+	"PrivilegeList": "keyword",
+	"AuthenticationPackageName" : "keyword",
+	"TargetUserSid" : "keyword"
       }
     },
     "winlog.logon.type": "keyword",
diff --git a/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml b/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml
new file mode 100644
index 000000000..7c1738470
--- /dev/null
+++ b/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml
@@ -0,0 +1,74 @@
+[metadata]
+creation_date = "2022/04/26"
+maturity = "production"
+updated_date = "2022/04/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to
+localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage
+a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local
+System privileges.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-system.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Privilege Escalation via Local Kerberos Relay over LDAP"
+references = [
+    "https://github.com/Dec0ne/KrbRelayUp",
+    "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html",
+    "https://github.com/cube0x0/KrbRelay",
+]
+risk_score = 73
+rule_id = "3605a013-6f0c-4f7d-88a5-326f5be262ec"
+severity = "high"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Credential Access"]
+type = "eql"
+
+query = '''
+authentication where
+
+ /* event 4624 need to be logged */
+ event.action == "logged-in" and event.outcome == "success" and
+
+ /* authenticate locally via relayed kerberos ticket */
+ winlog.event_data.AuthenticationPackageName : "Kerberos" and winlog.logon.type == "Network" and
+ source.ip == "127.0.0.1" and source.port > 0 and
+
+ /* Impersonate Administrator user via S4U2Self service ticket */
+ winlog.event_data.TargetUserSid : "S-1-5-21-*-500"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+[[rule.threat.technique.subtechnique]]
+id = "T1548.002"
+name = "Bypass User Account Control"
+reference = "https://attack.mitre.org/techniques/T1548/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1558"
+name = "Steal or Forge Kerberos Tickets"
+reference = "https://attack.mitre.org/techniques/T1558/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+