diff --git a/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml b/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml
new file mode 100644
index 000000000..a4de02a08
--- /dev/null
+++ b/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml
@@ -0,0 +1,25 @@
+rule:
+  meta:
+    name: persist via ShellServiceObjectDelayLoad registry key
+    namespace: persistence/registry
+    authors:
+      - xpzhxhm@gmail.com
+    description: Match on files using ShellServiceObjectDelayLoad to persist. Windows Explorer uses this key to load COM objects at startup, allowing malicious DLLs to execute automatically.
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Persistence::Event Triggered Execution::Component Object Model Hijacking [T1546.015]
+    references:
+      - https://blog.virustotal.com/2024/03/com-objects-hijacking.html
+    examples:
+      - c05ec67e75693127e5556eee229b88f93c7cef926cfe905dfd5464be9d305c94
+  features:
+    - and:
+      - os: windows
+      - or:
+        - match: set registry value
+        - number: 0x80000002 = HKEY_LOCAL_MACHINE
+      - or:
+        - string: /Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad/i
+        - string: /Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad/i