diff --git a/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml b/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml
new file mode 100644
index 00000000000..fd3ed84cede
--- /dev/null
+++ b/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml
@@ -0,0 +1,23 @@
+title: Potential CSharp Streamer RAT Loading .NET Executable Image
+id: 6f6afac3-8e7a-4e4b-9588-2608ffe08f82
+status: experimental
+description: |
+    Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
+references:
+    - https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections
+    - https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/
+author: Luca Di Bartolomeo
+date: 2024/06/22
+tags:
+    - attack.command_and_control
+    - attack.t1219
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|re: '\\AppData\\Local\\Temp\\dat[0-9A-Z]{4}\.tmp'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high