diff --git a/nursery/wmi-get-antivirus.yml b/nursery/wmi-get-antivirus.yml
new file mode 100644
index 000000000..9b1b16072
--- /dev/null
+++ b/nursery/wmi-get-antivirus.yml
@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: wmi get antivirus
+    namespace: collection/anti-virus
+    authors:
+      - kevross33/Kevin Ross
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Discovery::Windows Management Instrumentation [T1047]
+    examples:
+      - f5fca1b178af87bd48c7ea9e3f2c957b
+  features:
+    - and:
+      - string: /root\\securitycenter/i
+      - string: /antivirusproduct/i