diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml
index fba8777ea..bade1df84 100644
--- a/rules/windows/builtin/win_mal_service_installs.yml
+++ b/rules/windows/builtin/win_mal_service_installs.yml
@@ -19,12 +19,14 @@ detection:
         ServiceFileName: '*\DumpSvc.exe'
     wannacry:
         ServiceName: 'mssecsvc2.0'
+    persistence:
+        ServiceFileName: '* net user *'
     others:
         ServiceName:
             - 'pwdump*'
             - 'gsecdump*'
             - 'cachedump*'
-    condition: selection and ( wce or paexec or winexe or pwdumpx or wannacry or others )
+    condition: selection and ( wce or paexec or winexe or pwdumpx or wannacry or persistence or others )
 falsepositives: 
     - Penetration testing
 level: critical
diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml
new file mode 100644
index 000000000..1dc3ef984
--- /dev/null
+++ b/rules/windows/other/win_wmi_persistence.yml
@@ -0,0 +1,20 @@
+title: WMI Persistence
+status: experimental
+description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 (Windows 10, 2012 and higher)
+author: Florian Roth
+reference: https://twitter.com/mattifestation/status/899646620148539397
+logsource:
+    product: windows
+    service: wmi
+detection:
+    selection:
+        EventID: 5861
+    keywords:
+        - 'CommandLineEventConsumer'
+        - 'CommandLineTemplate'
+        - 'Binding EventFilter'
+    condition: selection and 1 of keywords
+falsepositives:
+    - Unknown (data set is too small; further testing needed)
+level: high
+
diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml
index 7c6cffa86..9881f03ce 100644
--- a/rules/windows/sysmon/sysmon_office_shell.yml
+++ b/rules/windows/sysmon/sysmon_office_shell.yml
@@ -23,6 +23,7 @@ detection:
             - '*\sh.exe'
             - '*\bash.exe'
             - '*\scrcons.exe'
+            - '*\regsvr32.exe'  # see https://twitter.com/subTee/status/899283365647458305
             - '*\hh.exe'  # see https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100
     condition: selection
 falsepositives:
diff --git a/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml b/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml
index 02372bcb8..ca5283258 100644
--- a/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml
+++ b/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml
@@ -1,4 +1,4 @@
-title: Command Line Executaion with suspicious URL and AppData Strings
+title: Command Line Execution with suspicious URL and AppData Strings
 status: experimental
 description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
 reference:
diff --git a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml
index 5d91e068b..846725995 100644
--- a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml
+++ b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml
@@ -2,6 +2,7 @@ title: Regsvr32 Anomaly
 status: experimental
 description: Detects various anomalies in relation to regsvr32.exe
 author: Florian Roth
+reference: https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
 logsource:
     product: windows
     service: sysmon
diff --git a/rules/windows/sysmon/sysmon_susp_svchost.yml b/rules/windows/sysmon/sysmon_susp_svchost.yml
new file mode 100644
index 000000000..811fc71b8
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_susp_svchost.yml
@@ -0,0 +1,18 @@
+title: Suspicious Svchost Process
+status: experimental
+description: Detects a suspicious scvhost process start 
+author: Florian Roth
+date: 2017/08/15
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        Image: '*\svchost.exe'
+    filter:
+        ParentImage: '*\services.exe'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/sysmon/sysmon_win_binary_github_com.yml b/rules/windows/sysmon/sysmon_win_binary_github_com.yml
new file mode 100644
index 000000000..42e2a5c94
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_win_binary_github_com.yml
@@ -0,0 +1,19 @@
+title: Microsoft Binary Github Communication
+status: experimental
+description: Detects an executable in the Windows folder accessing github.com
+reference: https://twitter.com/M_haggis/status/900741347035889665
+author: Michael Haag (idea), Florian Roth (rule)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 3
+        DestinationHostname: '*.github.com'
+        Image: 'C:\Windows\*'
+    condition: selection
+falsepositives:
+    - 'Unknown'
+    - '@subTee in your network'
+level: high
+
diff --git a/tools/config/splunk-windows-all.yml b/tools/config/splunk-windows-all.yml
index f832bc143..754459689 100644
--- a/tools/config/splunk-windows-all.yml
+++ b/tools/config/splunk-windows-all.yml
@@ -28,12 +28,17 @@ logsources:
     product: windows
     service: powershell-classic
     conditions:
-      source: 'Windows PowerShell'    
+      source: 'Windows PowerShell'
   windows-powershell:
     product: windows
     service: taskscheduler
     conditions:
       source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational'
+  windows-wmi:
+    product: windows
+    service: wmi
+    conditions:
+      source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational'
   windows-dns-server:
     product: windows
     service: dns-server