The 'Revil Registry Entry' analytic seeks to identify suspicious modifications in Windows registry entries commonly exploited by malware like REVIL. It tracks changes within specific registry paths, namely 'SOFTWARE\WOW6432Node\Facebook_Assistant' and 'SOFTWARE\WOW6432Node\BlackLivesMatter', known to facilitate persistence for ransomware attacks. The detection mechanism relies on data from Endpoint Detection and Response (EDR) agents, particularly focusing on process GUIDs associated with registry modifications. This approach is crucial, as alterations in these registry keys can signal potential malware persistence, commonly utilized by advanced persistent threats (APTs). A successful identification of such activity may indicate that attackers are attempting to maintain access to compromised systems, thereby enabling file encryption and storage of ransomware-specific information. The analytic is implemented through a Splunk query combining endpoint process and registry event data, ensuring that logs from the EDR agents monitor these malicious changes effectively.