diff --git a/nursery/execute-shellcode-via-readdirectorychanges.yml b/nursery/execute-shellcode-via-readdirectorychanges.yml
new file mode 100644
index 000000000..a8de0dd0b
--- /dev/null
+++ b/nursery/execute-shellcode-via-readdirectorychanges.yml
@@ -0,0 +1,29 @@
+rule:
+  meta:
+    name: execute shellcode via ReadDirectoryChanges
+    namespace: load-code/shellcode
+    authors:
+      - akshatpal@users.noreply.github.com
+    description: detect execution of arbitrary shellcode via ReadDirectoryChanges completion routines
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Defense Evasion::Reflective Code Loading [T1620]
+    mbc:
+      - Defense Evasion::Hijack Execution Flow::Abuse Windows Function Calls [F0015.006]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-readdirectorychangesw
+      - https://learn.microsoft.com/en-us/windows/win32/api/minwinbase/nc-minwinbase-lpoverlapped_completion_routine
+  features:
+    - and:
+      - match: allocate or change RWX memory
+      - or:
+        - api: ReadDirectoryChanges
+        - api: ReadDirectoryChangesEx
+      - or:
+        - api: SleepEx
+        - api: WaitForSingleObjectEx
+        - api: WaitForMultipleObjectsEx
+      - optional:
+        - api: CreateFile