This analytic rule is designed to detect the unauthorized deletion of registry keys by non-critical processes on Windows endpoints, utilizing data collected from Endpoint Detection and Response (EDR). The core of the detection revolves around monitoring registry events where keys are marked as deleted, particularly focusing on instances where the associated processes do not fall within standard system or application paths. This is particularly relevant in the context of potential malicious activities, such as malware operating to clear its traces or disrupt system configurations, with known threats like the Double Zero wiper being a prime example. The configuration of the detection requires specific event IDs from Sysmon, ensuring that process and registry event data is correctly aggregated and analyzed. By correlating the actions of these non-critical processes with registry deletions, security teams can significantly improve their ability to identify and respond to potential threats before they lead to system compromise or data loss.