diff --git a/persistence/service/persist-via-windows-service.yml b/persistence/service/persist-via-windows-service.yml
index 7bd333ffd..81a483309 100644
--- a/persistence/service/persist-via-windows-service.yml
+++ b/persistence/service/persist-via-windows-service.yml
@@ -40,3 +40,10 @@ rule:
       - and:
         - match: set registry value
         - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Services/i
+        - or:
+          - string: /ImagePath/i
+            description: service binary path
+          - string: /ServiceDll/i
+            description: svchost-hosted service DLL
+          - string: /FailureCommand/i
+            description: command run on service failure