diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml
index 9203768fe..57d3ade28 100755
--- a/rules/windows/image_load/sysmon_wmi_module_load.yml
+++ b/rules/windows/image_load/sysmon_wmi_module_load.yml
@@ -3,7 +3,7 @@ id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
 description: Detects non wmiprvse loading WMI modules
 status: experimental
 date: 2019/08/10
-modified: 2021/06/15
+modified: 2021/08/18
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
     - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
@@ -37,6 +37,7 @@ detection:
             - '\ngentask.exe'  # c:\Windows\Microsoft.NET\Framework(64)\ngentask.exe
             - '\windows\system32\taskhostw.exe'  # c:\windows\system32\taskhostw.exe
             - '\windows\system32\MoUsoCoreWorker.exe'  # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least
+            - '\windows\system32\wbem\WMIADAP.exe'  # https://github.com/SigmaHQ/sigma/issues/1871
     condition: selection and not filter
 fields:
     - ComputerName