diff --git a/nursery/persist-via-errorhandler-script.yml b/nursery/persist-via-errorhandler-script.yml
new file mode 100644
index 00000000..1d542d49
--- /dev/null
+++ b/nursery/persist-via-errorhandler-script.yml
@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: persist via ErrorHandler script
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: write file on Windows
+      - string: /\\Windows\\Setup\\Scripts\\ErrorHandler.cmd/i
diff --git a/nursery/persist-via-get-variable-hijack.yml b/nursery/persist-via-get-variable-hijack.yml
new file mode 100644
index 00000000..d0175368
--- /dev/null
+++ b/nursery/persist-via-get-variable-hijack.yml
@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: persist via Get-Variable hijack
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Hijack Execution Flow [T1574]
+    references:
+      - https://www.threatdown.com/blog/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: write file on Windows
+      - string: /Microsoft\\WindowsApps\\Get-Variable.exe/i
diff --git a/nursery/persist-via-iphlpapi-dll-hijack.yml b/nursery/persist-via-iphlpapi-dll-hijack.yml
new file mode 100644
index 00000000..a75e16bf
--- /dev/null
+++ b/nursery/persist-via-iphlpapi-dll-hijack.yml
@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: persist via iphlpapi DLL hijack
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Hijack Execution Flow [T1574]
+    references:
+      - https://cyble.com/blog/targeted-attacks-being-carried-out-via-dll-sideloading/
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: write file on Windows
+      - string: /\\Appdata\\Local\\Microsoft\\.*\\iphlpapi.dll/i
diff --git a/nursery/persist-via-lnk-shortcut.yml b/nursery/persist-via-lnk-shortcut.yml
new file mode 100644
index 00000000..8be9ac4b
--- /dev/null
+++ b/nursery/persist-via-lnk-shortcut.yml
@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: persist via lnk shortcut
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution::Shortcut Modification [T1547.009]
+    references:
+      - https://www.ired.team/offensive-security/persistence/modifying-.lnk-shortcuts
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: write file on Windows
+      - string: /\.lnk$/i
diff --git a/nursery/persist-via-powershell-profile.yml b/nursery/persist-via-powershell-profile.yml
new file mode 100644
index 00000000..2141a615
--- /dev/null
+++ b/nursery/persist-via-powershell-profile.yml
@@ -0,0 +1,22 @@
+rule:
+  meta:
+    name: persist via PowerShell profile
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution::PowerShell Profile [T1546.013]
+    references:
+      - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: write file on Windows
+      - or:
+        - string: /Profile.ps1/i
+        - string: /Microsoft.PowerShell_profile.ps1/i
diff --git a/nursery/persist-via-windows-accessibility-tools.yml b/nursery/persist-via-windows-accessibility-tools.yml
new file mode 100644
index 00000000..b28659aa
--- /dev/null
+++ b/nursery/persist-via-windows-accessibility-tools.yml
@@ -0,0 +1,27 @@
+rule:
+  meta:
+    name: persist via Windows accessibility tools
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution::Accessibility Features [T1546.008]
+    references:
+      - https://pentestlab.blog/2019/11/13/persistence-accessibility-features/
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: write file on Windows
+      - or:
+        - string: /windows\\system32\\osk.exe/i
+        - string: /windows\\system32\\Magnify.exe/i
+        - string: /windows\\system32\\narator.exe/i
+        - string: /windows\\system32\\displayswitch.exe/i
+        - string: /windows\\system32\\atbroker.exe/i
+        - string: /windows\\system32\\sethc.exe/i
+        - string: /windows\\system32\\utilman.exe/i
diff --git a/nursery/persist-via-windows-terminal-profile.yml b/nursery/persist-via-windows-terminal-profile.yml
new file mode 100644
index 00000000..da76f85e
--- /dev/null
+++ b/nursery/persist-via-windows-terminal-profile.yml
@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: persist via Windows Terminal Profile
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://nasbench.medium.com/persistence-using-windows-terminal-profiles-5035d3fc86fe
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: write file on Windows
+      - or:
+        - string: /Local\\Packages\\Microsoft.WindowsTerminal_.*\\LocalState\\settings.json/i
diff --git a/nursery/write-to-browser-extension-directory.yml b/nursery/write-to-browser-extension-directory.yml
new file mode 100644
index 00000000..3e7a9854
--- /dev/null
+++ b/nursery/write-to-browser-extension-directory.yml
@@ -0,0 +1,22 @@
+rule:
+  meta:
+    name: write to browser extension directory
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Browser Extensions [T1176]
+  features:
+    - and:
+      - description: can be used for browser-based persistence
+      - or:
+        - match: copy file
+        - match: move file
+        - match: write file on Windows
+      - or:
+        - string: /\\Microsoft\\Edge\\User Data\\Default\\Extensions\\/i
+        - string: /\\Google\\Chrome\\User Data\\Default\\Extensions\\/i
+        - string: /\\Mozilla\\Firefox\\Profiles\\.*default\\extensions\\/i