This detection rule monitors modifications to the Windows registry that are indicative of attempts to disable antivirus software autostart functionality. Specifically, it targets changes by malware such as ValleyRAT that may disable critical security measures provided by antivirus products like Kingsoft and Tencent. The rule focuses on specific registry paths that are known to be altered during such attacks, checking for particular registry values related to autostart settings. If these values are changed to indicate that the antivirus will not start automatically at system boot, it raises a flag for further investigation. Early detection of these alterations is vital for protecting system integrity and ensuring antivirus solutions remain operational during potential compromise efforts. The rule utilizes Sysmon Event ID 13 data, making it suitable for environments where Sysmon is deployed to log detailed activity about processes and registry changes.