diff --git a/etc/non-ecs-schema.json b/etc/non-ecs-schema.json
index 801686f90..c656c005f 100644
--- a/etc/non-ecs-schema.json
+++ b/etc/non-ecs-schema.json
@@ -16,18 +16,20 @@
         "AttributeValue": "keyword",
         "CallerProcessName": "keyword", 
         "CallTrace": "keyword",
+        "ClientProcessId": "keyword",
         "GrantedAccess": "keyword",
+        "NewTargetUserName": "keyword",
         "ObjectDN": "keyword",
+        "OldTargetUserName": "keyword",
         "OriginalFileName": "keyword",
+        "ParentProcessId": "keyword",
         "RelativeTargetName": "keyword",
         "ShareName": "keyword",
         "SubjectLogonId": "keyword",
         "TargetImage": "keyword",
         "TargetLogonId": "keyword",
         "TargetProcessGUID": "keyword",
-        "TargetSid": "keyword",
-        "OldTargetUserName": "keyword",
-        "NewTargetUserName": "keyword"
+        "TargetSid": "keyword"
       }
     },
     "winlog.logon.type": "keyword",
diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
new file mode 100644
index 000000000..5d6be35e9
--- /dev/null
+++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
@@ -0,0 +1,68 @@
+[metadata]
+creation_date = "2022/02/07"
+maturity = "production"
+updated_date = "2022/02/07"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator
+privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from
+administrator to SYSTEM.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-system.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Windows Service Installed via an Unusual Client"
+note = """## Config
+
+The 'Audit Security System Extension' logging policy must be configured for (Success)
+Steps to implement the logging policy with with Advanced Audit Configuration:
+
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+System > 
+Audit Security System Extension (Success)
+```
+"""
+references = [
+    "https://www.x86matthew.com/view_post?id=create_svc_rpc",
+    "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697",
+    "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md"
+]
+risk_score = 73
+rule_id = "55c2bf58-2a39-4c58-a384-c8b1978153c2"
+severity = "high"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.action:"service-installed"  and (winlog.event_data.ClientProcessId:"0" or winlog.event_data.ParentProcessId:"0")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1543/"
+id = "T1543"
+name = "Create or Modify System Process"
+[[rule.threat.technique.subtechnique]]
+reference = "https://attack.mitre.org/techniques/T1543/003/"
+id = "T1543.003"
+name = "Windows Service"
+
+
+
+[rule.threat.tactic]
+reference = "https://attack.mitre.org/tactics/TA0004/"
+id = "TA0004"
+name = "Privilege Escalation"
+