diff --git a/rules/windows/malware/sysmon_malware_dridex.yml b/rules/windows/malware/sysmon_malware_dridex.yml
new file mode 100644
index 000000000..9f351c5e7
--- /dev/null
+++ b/rules/windows/malware/sysmon_malware_dridex.yml
@@ -0,0 +1,40 @@
+---
+action: global
+title: Dridex Process Pattern
+status: experimental
+description: Detects typical Dridex process patterns
+references:
+    - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
+author: Florian Roth
+date: 2019/01/10
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    condition: 1 of them
+falsepositives:
+    - Unlikely
+level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 1
+        CommandLine: '*\svchost.exe C:\Users\*\Desktop\*'
+    selection2:
+        EventID: 1
+        ParentImage: '*\svchost.exe*'
+        CommandLine: 
+            - '*whoami.exe /all'
+            - '*net.exe view'
+---
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        ProcessCommandLine: '*\svchost.exe C:\Users\*\Desktop\*'
\ No newline at end of file