diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml
new file mode 100644
index 000000000..8c7a7313b
--- /dev/null
+++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml
@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2020/11/17"
+maturity = "production"
+updated_date = "2020/11/17"
+
+[rule]
+author = ["Elastic"]
+description = """
+The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a
+different process to be executed. This functionality can be abused by an adversary to establish persistence.
+"""
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License"
+name = "Image File Execution Options Injection"
+references = [
+    "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/",
+]
+risk_score = 41
+rule_id = "6839c821-011d-43bd-bd5b-acff00257226"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
+type = "eql"
+
+query = '''
+registry where length(registry.data.strings) > 0 and
+ registry.path : ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger", 
+                  "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger", 
+                  "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess", 
+                  "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess") and
+   /* add FPs here */
+ not registry.data.strings : ("C:\\Program Files*\\ThinKiosk\\thinkiosk.exe", "*\\PSAppDeployToolkit\\*")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1183"
+name = "Image File Execution Options Injection"
+reference = "https://attack.mitre.org/techniques/T1183/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+