This detection rule identifies newly added InProcServer32 registry keys in Windows environments using Sysmon EventID 13 data. The rule is significant because the InProcServer32 registry setting is often exploited by malware to establish persistence or execute malicious code via a harmful DLL. By monitoring registry changes, particularly in paths associated with InProcServer32, this analytic highlights potential threats to system integrity, allowing for proactive threat hunting. The rule aggregates relevant registry events to flag alterations that might signify malicious attempts to gain footholds within an endpoint, thus enhancing overall security monitoring capabilities.