diff --git a/rules/windows/malware/av_exploiting.yml b/rules/windows/malware/av_exploiting.yml
new file mode 100644
index 000000000..158b16af2
--- /dev/null
+++ b/rules/windows/malware/av_exploiting.yml
@@ -0,0 +1,28 @@
+title: Antivirus Exploitation Framework Detection
+description: Detects a highly relevant Antivirus alert that reports an exploitation framework
+date: 2018/09/09
+author: Florian Roth
+references:
+    - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
+tags:
+    - attack.exploitation_for_client_execution
+    - attack.t1203
+    - attack.remote_access_tools
+    - attack.t1219
+logsource:
+    product: antivirus
+detection:
+    selection:
+        Signature: 
+            - "*MeteTool*"
+            - "*Meterpreter*"
+            - "*Metasploit*"
+            - "*PowerSploit*"
+            - "*CobaltSrike*"
+    condition: selection
+fields:
+    - FileName
+    - User
+falsepositives:
+    - Unlikely
+level: critical