This detection rule is designed to identify unauthorized modifications to User Shell Folders registry values on Windows systems. Specifically, it monitors for changes made through command-line utilities such as reg.exe and PowerShell, which may signify an attacker’s attempt to establish persistence on a compromised machine. Attackers often alter these registry values to redirect legitimate shell folder locations to point to malicious executables or scripts. This allows malware to execute automatically during system startup, maintaining the attacker's presence in the system. The detection leverages command-line parameters indicating modifications to specific registry paths related to User Shell Folders, with a focus on those containing the 'Startup' keyword, which is critical for malicious persistence mechanisms. False positives may arise from legitimate uses of these tools for modifying registry values, but such occurrences are reported to be infrequent. The rule is currently in an experimental phase, indicating ongoing refinement and testing.