This analytic rule detects modifications to the Windows registry that disable the Command Prompt (CMD) application by monitoring changes to the 'DisableCMD' registry value in the Endpoint.Registry data model. The rule raises an alert when it identifies a change to the registry key that sets 'DisableCMD' to '1', indicating that CMD is disabled. Limiting access to CMD can adversely affect an analyst's ability to investigate incidents, making it a common tactic among malware, such as Remote Access Trojans (RATs), Trojans, and Worms, seeking to maintain persistence within a compromised environment. The rule is implemented using Sysmon event data, specifically Event IDs 12 and 13, which provide the required information on registry modifications. Security teams should verify these detections, as a confirmed malicious activity could obstruct incident response efforts.