diff --git a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml
new file mode 100644
index 000000000..cea5c5ba8
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml
@@ -0,0 +1,24 @@
+title: Possible Shim Database Persistence via sdbinst.exe 
+status: experimental
+description: Detects execution of sdbinst writing to default shim database path C:\Windows\AppPatch\*
+references:
+    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+tags:
+    - attack.persistence
+    - attack.t1138
+author: Markus Neis
+date: 2018-08-03
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+      EventID: 1
+      Image:
+      - '*\sdbinst.exe'
+      CommandLine: 
+        - '*\AppPatch\*}.sdb*'            
+    condition: selection
+falsepositives:
+    - Unknown 
+level: high