diff --git a/rules/windows/sysmon/sysmon_susp_taskmgr_localsystem.yml b/rules/windows/sysmon/sysmon_susp_taskmgr_localsystem.yml
new file mode 100644
index 00000000..9cf16279
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_susp_taskmgr_localsystem.yml
@@ -0,0 +1,17 @@
+title: Taskmgr as LOCAL_SYSTEM
+status: experimental
+description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
+author: Florian Roth
+date: 2018/03/18
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        User: 'NT AUTHORITY\SYSTEM'
+        Image: '*\taskmgr.exe'
+    condition: selection
+falsepositives:
+    - Unkown
+level: high