This detection rule identifies suspicious modifications to the Windows registry that disable automatic updates, specifically targeting the registry key located at "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DoNotConnectToWindowsUpdateInternetLocations" with a value set to "0x00000001". Such changes are often associated with malicious activities aimed at evading detection and preventing the system from receiving essential updates, particularly by malware like RedLine Stealer. The lack of updates can leave systems vulnerable to exploits, facilitate sustained persistence by attackers, and enable further malicious payload deployment. The rule uses data from Sysmon's EventID 12 and 13, which logs registry changes, to monitor and alert administrators of these critical updates being disabled. Confirming malicious intent behind such modifications is crucial for mitigating potential risks to the environment.