This rule detects unauthorized modifications to Group Policy Objects (GPO) within Windows environments, specifically aimed at identifying when a startup or logon script is added. Attackers often exploit GPOs to execute specific commands across a large number of client machines through scripting mechanisms stored in `scripts.ini` or `psscripts.ini`. The analysis of this rule includes monitoring relevant Windows event codes (5136, 5145) to identify changes to GPO attributes. The rule specifies investigation steps for assessing the legitimacy of the modifications and emphasizes false positive scenarios that arise from legitimate administrative activities. A comprehensive response and remediation guidance are provided to contain and address potential threats effectively. Notably, the configuration of relevant audit policies is required to ensure the rule's effective operation. Additionally, the rule is aligned with specific MITRE ATT&CK techniques focusing on domain policy modification and logon autostart execution tactics, contributing to privilege escalation risks.