diff --git a/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml b/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml
new file mode 100644
index 000000000..02c36329a
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml
@@ -0,0 +1,42 @@
+title: SharPersist Usage
+id: 26488ad0-f9fd-4536-876f-52fea846a2e4
+status: experimental
+description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
+author: Florian Roth
+references:
+   - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit
+   - https://github.com/mandiant/SharPersist
+date: 2022/09/15
+logsource:
+   category: process_creation
+   product: windows
+tags:
+   - attack.persistence
+   - attack.t1053
+   - attack.t1060
+   - attack.t1050
+detection:
+   selection1:
+      Image|endswith: '\SharPersist.exe'
+   selection2:
+      Product: 'SharPersist'
+   selection3:
+      CommandLine|contains:
+         - ' -t schtask -c '
+         - ' -t startupfolder -c '
+   selection4:
+      CommandLine|contains|all:
+         - ' -t reg -c '
+         - ' -m add'
+   selection5:
+      CommandLine|contains|all:
+         - ' -t service -c '
+         - ' -m add'
+   selection6:
+      CommandLine|contains|all:
+         - ' -t schtask -c '
+         - ' -m add'
+   condition: selection
+falsepositives:
+   - Unknown
+level: high