diff --git a/rules/windows/sysmon/sysmon_vuln_cve_2017_8759.yml b/rules/windows/sysmon/sysmon_vuln_cve_2017_8759.yml
new file mode 100644
index 000000000..061db9210
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_vuln_cve_2017_8759.yml
@@ -0,0 +1,19 @@
+title: Exploit for CVE-2017-8759 
+description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
+reference:
+  - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+  - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+author: Florian Roth
+date: 15.09.2017
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage: '*\WINWORD.EXE'
+        Image: '*\csc.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical