diff --git a/anti-analysis/anti-debugging/reference-confuserex-anti-profiling.yml b/anti-analysis/anti-debugging/reference-confuserex-anti-profiling.yml
new file mode 100644
index 000000000..121d42c8b
--- /dev/null
+++ b/anti-analysis/anti-debugging/reference-confuserex-anti-profiling.yml
@@ -0,0 +1,24 @@
+rule:
+  meta:
+    name: reference ConfuserEx anti-profiling
+    namespace: anti-analysis/anti-debugging
+    author: Nitezio
+    description: Detects ConfuserEx's anti-profiling mechanisms, which patch the CLR and hijack named pipes to prevent managed profilers from attaching.
+    scope: function
+    att&ck:
+      - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
+    references:
+      - https://github.com/mandiant/capa-rules/issues/602
+      - https://github.com/yck1509/ConfuserEx/blob/master/Confuser.Runtime/antinet/AntiManagedProfiler.cs
+  features:
+    - or:
+      # Behavior 1: Modifying the CLR timeout via memory protection
+      - and:
+        - api: kernel32.VirtualProtect
+        - string: "ProfAPIMaxWaitForTriggerMs"
+      # Behavior 2: Hijacking the CLR profiler named pipe
+      - and:
+        - string: "\\\\.\\pipe\\CPFATP_{0}_v{1}.{2}.{3}"
+        - or:
+          - api: kernel32.CreateNamedPipe
+          - api: kernel32.CreateFile
\ No newline at end of file