diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml
index dbb17a226..3a087081c 100644
--- a/rules/windows/other/win_wmi_persistence.yml
+++ b/rules/windows/other/win_wmi_persistence.yml
@@ -1,23 +1,30 @@
+action: global
 title: WMI Persistence
 id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
 status: experimental
-description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher)
-author: Florian Roth
+description: Detects suspicious WMI event filter and command line event consumer based on WMI and Sysmon logs.
+author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
 date: 2017/08/22
-modified: 2020/08/23
+modified: 2020/10/13
 references:
     - https://twitter.com/mattifestation/status/899646620148539397
     - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+    - https://attack.mitre.org/techniques/T1546/003/
 tags:
     - attack.persistence
     - attack.privilege_escalation
     - attack.t1084           # an old one
     - attack.t1546.003
+falsepositives:
+    - Unknown (data set is too small; further testing needed)
+level: medium
+---
 logsource:
     product: windows
-    service: wmi
+    service: wmi #native windows detection
+    definition: 'WMI Namespaces Auditing and SACL should be configured, EventID 5861 and 5859 detection requires Windows 10, 2012 and higher'
 detection:
-    selection:
+    wmi_activity_5861:
         EventID: 5861
     keywords:
         Message:
@@ -25,9 +32,31 @@ detection:
             - '*CommandLineEventConsumer*'
             - '*CommandLineTemplate*'
         # - 'Binding EventFilter'  # too many false positive with HP Health Driver
-    selection2:
+    wmi_activity_5859:
         EventID: 5859
-    condition: selection and 1 of keywords or selection2
-falsepositives:
-    - Unknown (data set is too small; further testing needed)
-level: medium
+    network_logon:
+        EventID: 4624
+        LogonType: 3
+    privileges_assigned:
+        EventID: 4672
+    wmi_subscription:
+        EventID: 4662
+        ObjectType: 'WMI Namespace'
+        ObjectName: '*subscription*'
+    condition: (wmi_activity_5861 and 1 of keywords) OR (wmi_activity_5859) OR (network_logon and privileges_assigned and wmi_subscription)
+---
+logsource:
+    product: windows
+    service: sysmon #sysmon detection
+detection: 
+    filter_creation: 
+        # Sysmon WMI Filter Creation
+        EventID: 19
+    consumer_creation:
+        # Sysmon WMI Consumer Creation 
+        EventID: 20
+    consumer_binding:
+        # Sysmon WMI Consumer Binding
+        EventID: 21
+    timeframe: 5m
+    condition: all of them