diff --git a/rules/windows/other/win_reg_persistence.yaml b/rules/windows/other/win_reg_persistence.yaml
new file mode 100644
index 000000000..c74c82917
--- /dev/null
+++ b/rules/windows/other/win_reg_persistence.yaml
@@ -0,0 +1,21 @@
+title: Registry Persistence Mechanisms
+description: Detects persistence registry keys 
+references:
+    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
+date: 2018/04/11
+author: Karneades
+logsource:
+   product: windows
+   service: sysmon
+detection:
+    selection_reg1:
+        EventID: 13 
+        TargetObject: 
+            - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\GlobalFlag'
+            - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\ReportingMode'
+            - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\MonitorProcess'
+        EventType: 'SetValue'
+    condition: 1 of them
+falsepositives:
+    - unknown
+level: critical