diff --git a/nursery/connect-to-wmi-namespace-via-wbemlocator.yml b/nursery/connect-to-wmi-namespace-via-wbemlocator.yml
new file mode 100644
index 000000000..7bfae32f3
--- /dev/null
+++ b/nursery/connect-to-wmi-namespace-via-wbemlocator.yml
@@ -0,0 +1,20 @@
+# generated using capa explorer for IDA Pro
+rule:
+  meta:
+    name: connect to WMI namespace via WbemLocator
+    namespace: host-interaction/wmi
+    author: michael.hunhoff@fireeye.com
+    scope: function
+    att&ck:
+      - Execution::Windows Management Instrumentation [T1047]
+  features:
+    - and:
+      - basic block:
+        - and:
+          - api: ole32.CoCreateInstance
+          - bytes: 11 F8 90 45 3A 1D D0 11 89 1F 00 AA 00 4B 2E 24 = CLSID_WbemLocator
+          - bytes: 87 A6 12 DC 7F 73 CF 11 88 4D 00 AA 00 4B 2E 24 = IID_IWbemLocator
+      - offset: 0x18 = ppv->ConnectServer
+      - optional:
+        - string: /ROOT\\CIMV2/i
+        - string: /ROOT\\DEFAULT/i