This detection rule monitors changes to session manager autorun keys within the Windows Registry, specifically targeting the autostart extensibility points (ASEP) that are commonly abused by malicious actors to maintain persistence on a system. By observing modifications to specific keys under \System\CurrentControlSet\Control\Session Manager, this rule aims to identify unauthorized alterations that could indicate malicious activity, such as the installation of backdoors or other persistence mechanisms. The detection criteria include checking for modifications to various session manager keys like \SetupExecute and \AppCertDlls. This rule assists in the identification of potential threats while remaining cognizant of legitimate software behaviors. False positives are recognized where legitimate modifications may occur during software installations or administrator actions.