diff --git a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
new file mode 100644
index 000000000..8ad56900a
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
@@ -0,0 +1,25 @@
+title: Atbroker Registry Change
+id: 9577edbb-851f-4243-8c91-1d5b50c1a39b
+description: Detects creation/modification of Assisitive Technology applications and persistance with usage of ATs
+author: Mateusz Wydra, oscd.community
+references:
+    - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Atbroker.yml
+date: 2020/10/13
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+    - attack.persistance
+    - attack.t1547
+logsource:
+    category: registry_event
+    product: windows
+detection:
+    creation:       
+        TargetObject|contains: Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
+    persistance:
+        TargetObject|contains: Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
+    condition: creation or persistance
+falsepositives:
+    - Creation of non-default, legitimate AT. 
+level: High
\ No newline at end of file