diff --git a/rules/windows/sysmon/sysmon_susp_mic_cam_access.yml b/rules/windows/sysmon/sysmon_susp_mic_cam_access.yml
new file mode 100644
index 000000000..ad3c29378
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_susp_mic_cam_access.yml
@@ -0,0 +1,35 @@
+title: Suspicious Camera and Microphone Access
+id: 62120148-6b7a-42be-8b91-271c04e281a3
+description: Detects Processes accessing the camera and microphone from suspicious folder
+author: Den Iuzvyk
+date: 2020/06/07
+reference:
+    - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
+tags:
+    - attack.collection
+    - attack.t1125
+    - attack.t1123
+logsource:
+    category: sysmon
+    product: windows
+detection:
+    selection_1:
+        EventId: 13
+        TargetObject|contains:
+            - \Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\\*\NonPackaged
+    selection_2:
+        TargetObject|contains:
+            - microphone
+            - webcam
+    selection_3:
+        TargetObject|contains:
+            - '#C:#Windows#Temp#'
+            - '#C:#$Recycle.bin#'
+            - '#C:#Temp#'
+            - '#C:#Users#Public#'
+            - '#C:#Users#Default#'
+            - '#C:#Users#Desktop#'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely, there could be conferencing software running from a Temp folder accessing the devices
+level: high
\ No newline at end of file