This detection rule identifies the registration of potentially suspicious ODBC (Open Database Connectivity) drivers in Windows systems. The rule specifically monitors the Windows registry for changes that indicate a new ODBC driver has been registered in certain directories that are considered unusual or problematic. High-risk directories include Temp folders, Program Data, and installation directories under System32 that might be used for persistence or malicious activities. The rule focuses on detecting the setup or driver entries in the registry associated with ODBC drivers, ensuring that any registrations coming from these directories are flagged for further investigation. The presence of these registrations may suggest an attempt by attackers to use ODBC drivers as part of their persistence strategy within the target environment. It encompasses various registry paths that are typically not advised for legitimate software installations and can be indicative of compiled scripting tactics employed by adversaries. Furthermore, implementation against such changes helps to reinforce endpoint protection measures and notify sysadmins to potentially investigate the source and legitimacy of the driver registration.