diff --git a/rules/windows/builtin/security/win_security_ad_suspicious_failed_ntlm_authent.yml b/rules/windows/builtin/security/win_security_ad_suspicious_failed_ntlm_authent.yml
new file mode 100644
index 00000000000..88ac99a085e
--- /dev/null
+++ b/rules/windows/builtin/security/win_security_ad_suspicious_failed_ntlm_authent.yml
@@ -0,0 +1,33 @@
+title: Suspicious NTLM Logon Failure Without WorkstationName - Possible Impacket
+id: a5b0db6d-7f9b-4d13-9f8e-b1b26f4625fa
+status: experimental
+description: Detects failed NTLM logons (Event ID 4625) with specific attributes and no workstation name, which could indicate malicious activity such as NTLM relay or password spraying.
+author: Charles BLANC-ROLIN @woundride
+date: 2025/04/19
+logsource:
+  product: windows
+  service: security
+  category: logon
+detection:
+  selection:
+    AuthenticationPackageName: NTLM
+    EventID: 4625
+    LogonType: 3
+    KeyLength: 0
+    SubjectUserSid: S-1-0-0
+    WorkstationName: '-'
+  condition: selection
+fields:
+  - SubjectUserName
+  - IpAddress
+  - LogonProcessName
+  - WorkstationName
+  - TargetUserSid
+falsepositives:
+  - Some legitimate system processes or misconfigured clients may lack workstationName
+level: high
+tags:
+  - attack.credential_access
+  - attack.t1110
+  - windows
+  - ntlm
diff --git a/rules/windows/builtin/security/win_security_ad_suspicious_success_ntlm_authent.yml b/rules/windows/builtin/security/win_security_ad_suspicious_success_ntlm_authent.yml
new file mode 100644
index 00000000000..797d13983e8
--- /dev/null
+++ b/rules/windows/builtin/security/win_security_ad_suspicious_success_ntlm_authent.yml
@@ -0,0 +1,33 @@
+title: Suspicious NTLM Logon Success Without WorkstationName - Possible Impacket
+id: 798fd9eb-7151-43a1-9717-b2b164abfe91
+status: experimental
+description: Detects success NTLM logons (Event ID 4624) with specific attributes and no workstation name, which could indicate malicious activity such as Impacket authentication.
+author: Charles BLANC-ROLIN @woundride
+date: 2025/04/19
+logsource:
+  product: windows
+  service: security
+  category: logon
+detection:
+  selection:
+    AuthenticationPackageName: NTLM
+    EventID: 4624
+    LogonType: 3
+    KeyLength: 0
+    SubjectUserSid: S-1-0-0
+    WorkstationName: '-'
+  condition: selection
+fields:
+  - SubjectUserName
+  - IpAddress
+  - LogonProcessName
+  - WorkstationName
+  - TargetUserSid
+falsepositives:
+  - Some legitimate system processes or misconfigured clients may lack workstationName
+level: high
+tags:
+  - attack.credential_access
+  - attack.t1110
+  - windows
+  - ntlm