diff --git a/yara/mal_exchange_cryptominer.yar b/yara/mal_exchange_cryptominer.yar
new file mode 100644
index 0000000..b8d087b
--- /dev/null
+++ b/yara/mal_exchange_cryptominer.yar
@@ -0,0 +1,14 @@
+rule MAL_Exchange_CryptoMiner_Mar21_1 {
+   meta:
+      description = "Detects Cryptominer activity exploiting exchange vulnerability"
+      author = "Florian Roth"
+      date = "2021-03-16"
+      reference = "https://twitter.com/ollieatnccgroup/status/1371840592246870023"
+      score = 60
+   strings:
+      $s1 = "wmic.exe product where"
+      $s2 = "%AntiVirus%"
+      $s3 = "call uninstall /noninteractive"
+   condition:
+      all of them
+}