diff --git a/queries/windows/rundll32_possible_cobalt_strike.yml b/queries/windows/rundll32_possible_cobalt_strike.yml
new file mode 100644
index 0000000..c90e18d
--- /dev/null
+++ b/queries/windows/rundll32_possible_cobalt_strike.yml
@@ -0,0 +1,17 @@
+title: Rundll32 Possible Cobalt Strike 
+description: Loose detection of lateral movement through SMB, commonly used with Cobalt Strike.
+author: keyboardcrunch
+date: 02/12/2020
+modified:
+mitre: 
+   tactic: Defense Evasion
+   technique: T1218
+   subtechnique: 011
+operating_system: 
+query: ( SrcProcName In AnyCase  ( "rundll32.exe" ) AND SrcProcCmdLine IS EMPTY ) OR ( SrcProcName In AnyCase  ( "rundll32.exe" ) AND NetConnOutCount > "0" AND SrcProcParentName Not In  ( "splwow64.exe" ) AND SrcProcParentName Not In  ( "msiexec.exe" ) AND SrcProcCmdLine RegExp ".*((?!C:\\windows\\system32\\spool\\DRIVERS\\.*,MonitorPrintJobStatus))$/gmi" )
+false_positives:
+   - Printer drivers
+tags:
+   - Cobalt Strike
+references:
+   - https://thedfirreport.com/2020/10/08/ryuks-return/