diff --git a/rules/windows/process_creation/win_susp_atbroker.yml b/rules/windows/process_creation/win_susp_atbroker.yml
new file mode 100644
index 000000000..ca842b913
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_atbroker.yml
@@ -0,0 +1,53 @@
+title: Suspicious Atbroker Execution
+id: f24bcaea-0cd1-11eb-adc1-0242ac120002
+description: Atbroker executing non-deafualt Assistive Technology applications
+references:
+    - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+    - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
+status: experimental
+author: Mateusz Wydra, oscd.community
+date: 2020/10/12
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        - Image|endswith: 'AtBroker.exe'
+    selection2:
+        - CommandLine|contains: 'start'
+    filter:
+        - CommandLine|contains:
+            - animations
+            - audiodescription
+            - caretbrowsing
+            - caretwidth
+            - colorfiltering
+            - cursorscheme
+            - filterkeys
+            - focusborderheight
+            - focusborderwidth
+            - highcontrast
+            - keyboardcues
+            - keyboardpref
+            - magnifierpane
+            - messageduration
+            - minimumhitradius
+            - mousekeys
+            - Narrator
+            - osk
+            - overlappedcontent
+            - showsounds
+            - soundsentry
+            - stickykeys
+            - togglekeys
+            - windowarranging
+            - windowtracking
+            - windowtrackingtimeout
+            - windowtrackingzorder
+    condition: selection1 and selection2 and not filter
+falsepositives:
+    - Legitimate, non-deafualt Assistive Technology applications execution
+level: high