diff --git a/etc/non-ecs-schema.json b/etc/non-ecs-schema.json
index 81e5f2144..f3a8b980e 100644
--- a/etc/non-ecs-schema.json
+++ b/etc/non-ecs-schema.json
@@ -11,6 +11,8 @@
     "winlog.event_data.OriginalFileName": "keyword",
     "winlog.event_data.GrantedAccess": "keyword",
     "winlog.event_data.CallTrace": "keyword",
+    "powershell.file.script_block_text": "text",
+    "winlog.event_data.TargetProcessGUID": "keyword",
     "powershell.file.script_block_text": "text", 
     "winlog.event_data.CallerProcessName": "keyword", 
     "winlog.event_data.TargetSid": "keyword", 
diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
new file mode 100644
index 000000000..5ab67a492
--- /dev/null
+++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
@@ -0,0 +1,50 @@
+[metadata]
+creation_date = "2021/10/24"
+maturity = "production"
+updated_date = "2021/10/24"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent
+process. This may indicate a code injection or hollowing attempt.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious Process Creation CallTrace"
+risk_score = 43
+rule_id = "3ed032b2-45d8-4406-bc79-7ad1eabb2c72"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+sequence by host.id with maxspan=1m
+  [process where event.code == "1" and
+   /* sysmon process creation */
+   process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe",
+                          "fltldr.exe", "mspub.exe", "msaccess.exe", "powershell.exe", "pwsh.exe",
+                          "cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "mshta.exe",
+                          "wmic.exe", "cmstp.exe", "msxsl.exe")] by process.parent.entity_id, process.entity_id
+  [process where event.code == "10" and
+   /* Sysmon process access event from unknown module */
+   winlog.event_data.CallTrace : "*UNKNOWN*"] by process.entity_id, winlog.event_data.TargetProcessGUID
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+name = "Process Injection"
+id = "T1055"
+reference = "https://attack.mitre.org/techniques/T1055/"
+
+
+[rule.threat.tactic]
+name = "Defense Evasion"
+id = "TA0005"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+