This detection rule identifies suspicious modifications to the Windows Registry that are intended to disable Group Policy features. Such modifications can hinder security and forensic efforts, services typically abused by ransomware to maintain control over compromised systems. The rule utilizes data from Sysmon event logs, specifically focusing on changes to critical registry paths related to Windows Group Policy. It analyzes specific value names and value data associated with the policy settings that could be manipulated by attackers. By monitoring these specific alterations, this rule aims to detect unauthorized actions that could compromise the security posture of the system.