diff --git a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml
new file mode 100644
index 000000000..89dcaf75f
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml
@@ -0,0 +1,31 @@
+title: Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
+id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d
+related:
+    - id: 236d8e89-ed95-4789-a982-36f4643738ba
+      type: derived
+status: experimental
+description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
+references:
+    - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
+    - https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/06/14
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\VMwareToolBoxCmd.exe'
+        - OriginalFileName: 'toolbox-cmd.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            - ' script '
+            - ' set '
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml
new file mode 100644
index 000000000..d6047d532
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml
@@ -0,0 +1,38 @@
+title: Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
+id: 236d8e89-ed95-4789-a982-36f4643738ba
+related:
+    - id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d
+      type: derived
+status: experimental
+description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potential suspicious location to run for a specific VM state
+references:
+    - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/06/14
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_bin_img:
+        - Image|endswith: '\VMwareToolBoxCmd.exe'
+        - OriginalFileName: 'toolbox-cmd.exe'
+    selection_bin_cli:
+        CommandLine|contains|all:
+            - ' script '
+            - ' set '
+    selection_susp_paths:
+        CommandLine|contains:
+            - ':\PerfLogs\'
+            - ':\Temp\'
+            - ':\Windows\System32\Tasks\'
+            - ':\Windows\Tasks\'
+            - ':\Windows\Temp\'
+            - '\AppData\Local\Temp'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high