This detection rule targets potential persistence mechanisms employed by the SystemBC malware, notorious for its capabilities as a proxy, bot, backdoor, and Remote Access Tool (RAT). SystemBC gains persistence through the modification of Windows Registry Run keys, particularly targeting the key located at \SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The malware identifies itself by configuring these keys with the value 'socks5', enabling it to maintain continued access to infected systems. The rule monitors changes to this specific registry key, which can indicate the presence of SystemBC or similar malware attempting to establish or maintain a foothold on a device by ensuring it runs on every system boot or user logon. By leveraging PowerShell event logs (EventCode 4104), this rule captures potential instances of unauthorized modifications linked to this malware, helping organizations detect and respond to such malicious activities effectively.