diff --git a/rules/windows/execution_scripts_process_started_via_wmi.toml b/rules/windows/execution_scripts_process_started_via_wmi.toml
new file mode 100644
index 000000000..504f6715a
--- /dev/null
+++ b/rules/windows/execution_scripts_process_started_via_wmi.toml
@@ -0,0 +1,77 @@
+[metadata]
+creation_date = "2020/11/27"
+maturity = "production"
+updated_date = "2020/11/27"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management
+Instrumentation (WMI). This may be indicative of malicious activity.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License"
+name = "Windows Script Interpreter Executing Process via WMI"
+risk_score = 47
+rule_id = "b64b183e-1a76-422d-9179-7b389513e74d"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+type = "eql"
+
+query = '''
+sequence by host.id with maxspan=5s
+    [library where file.name : "wmiutils.dll" and process.name : ("wscript.exe", "cscript.exe")]
+    [process where event.type in ("start", "process_started") and
+     process.parent.name : "wmiprvse.exe" and
+     user.domain != "NT AUTHORITY" and
+     (process.pe.original_file_name in
+                                (
+                                  "cscript.exe",
+                                  "wscript.exe",
+                                  "PowerShell.EXE",
+                                  "Cmd.Exe",
+                                  "MSHTA.EXE",
+                                  "RUNDLL32.EXE",
+                                  "REGSVR32.EXE",
+                                  "MSBuild.exe",
+                                  "InstallUtil.exe",
+                                  "RegAsm.exe",
+                                  "RegSvcs.exe",
+                                  "msxsl.exe",
+                                  "CONTROL.EXE",
+                                  "EXPLORER.EXE",
+                                  "Microsoft.Workflow.Compiler.exe",
+                                  "msiexec.exe"
+                                  ) or
+      process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe")
+     )
+    ]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1193"
+name = "Spearphishing Attachment"
+reference = "https://attack.mitre.org/techniques/T1193/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1047"
+name = "Windows Management Instrumentation"
+reference = "https://attack.mitre.org/techniques/T1047/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"