diff --git a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml
new file mode 100644
index 00000000..651d19f1
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml
@@ -0,0 +1,33 @@
+title: System File Execution Location Anomaly
+status: experimental
+description: Detects a Windows program executable started in a suspicious folder
+reference: https://twitter.com/GelosSnake/status/934900723426439170
+author: Florian Roth
+date: 2017/11/27
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        Image:
+            - '*\svchost.exe'
+            - '*\rundll32.exe'
+            - '*\services.exe'
+            - '*\powershell.exe'
+            - '*\regsvr32.exe'
+            - '*\spoolsv.exe'
+            - '*\lsass.exe'
+            - '*\conhost.exe'
+            - '*\smss.exe'
+            - '*\csrss.exe'
+            - '*\conhost.exe'
+    filter:
+        Image: 
+            - '*\System32\*'
+            - '*\SysWow64\*'
+    condition: selection and not filter
+falsepositives:
+    - Exotic software
+level: high
+