This detection rule identifies the presence of VBScript payloads stored in the Windows Registry, specifically within the `Software\Microsoft\Windows\CurrentVersion\Run` key, which is commonly exploited by threat actors for persistence mechanisms. The rule looks for specific patterns associated with VBScript, JScript, and MSHTML that are indicative of malicious intent. The detection is based on selecting registry entries that contain certain keywords or actions typically used to execute scripts or run applications in malicious contexts. This activity has been associated with advanced persistent threats (APTs), notably the UNC2452 group, which has leveraged such techniques in their operations. The rule also incorporates a filter to exclude benign entries, making it easier to focus on potential malicious payloads. Given its high detection level, the rule aims to minimize false positives while providing clear visibility into potentially harmful configurations in the Windows environment.