diff --git a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml
new file mode 100644
index 000000000..95177ba63
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml
@@ -0,0 +1,22 @@
+title: WMI Event Subscription
+status: experimental
+description: Detects creation of WMI event subscription persistence method
+references:
+    - https://attack.mitre.org/techniques/T1084/
+tags:
+    - attack.t1084
+    - attack.persistence
+author: Tom Ueltschi (@c_APT_ure)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selector:
+        EventID:
+            - 19
+            - 20
+            - 21
+    condition: selector
+falsepositives:
+    - exclude legitimate (vetted) use of WMI event subscription in your network
+level: high