diff --git a/rules/windows/process_creation/win_susp_presentationhost_execution.yml b/rules/windows/process_creation/win_susp_presentationhost_execution.yml
deleted file mode 100644
index f8cd768b..00000000
--- a/rules/windows/process_creation/win_susp_presentationhost_execution.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: Application Whitelisting Bypass via PresentationHost.exe
-id: d149a338-ae47-408e-a8ff-9064220c0b34
-description: Detects defence evasion attempt via PresentationHost.exe to run malicious .xbap file
-status: experimental
-references:
-    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Presentationhost.yml
-    - https://medium.com/tsscyber/applocker-bypass-presentationhost-exe-8c87b2354cd4
-    - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/
-author: Kirill Kiryanov, oscd.community
-date: 2020/10/08
-tags:
-    - attack.defense_evasion
-    - attack.t1218
-    - attack.execution      
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\presentationhost.exe'
-        CommandLine|contains: '.xbap'
-    condition: selection
-level: medium
-falsepositives:
-    - Unknown
diff --git a/rules/windows/process_creation/win_susp_sqldumper_activity.yml b/rules/windows/process_creation/win_susp_sqldumper_activity.yml
new file mode 100644
index 00000000..93087628
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_sqldumper_activity.yml
@@ -0,0 +1,28 @@
+title: Dumping Process via Sqldumper.exe
+id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
+description: Detects process dump via legitimate sqldumper.exe binary
+status: experimental
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqldumper.yml
+    - https://twitter.com/countuponsec/status/910977826853068800
+    - https://twitter.com/countuponsec/status/910969424215232518
+    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
+author: Kirill Kiryanov, oscd.community
+date: 2020/10/08
+tags:
+    - attack.credential_access
+    - attack.t1003.001    
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\sqldumper.exe'
+        CommandLine|contains:
+            - '0x0110'
+            - '0x01100:40'
+    condition: selection
+falsepositives:
+    - Legitimate MSSQL Server actions
+level: medium
+