This detection rule aims to identify suspicious modifications to the InprocServer32 registry key related to the Windows Disk Cleanup utility. Malicious actors can exploit this utility to maintain persistence on a compromised system by adding malicious DLL paths into the registry. Whenever Disk Cleanup is executed, the malicious code can run without immediate detection by the user or security systems. The rule uses Splunk search logic to monitor and alert on registry edits conducted via commands that modify the InprocServer32 key under 'HKCU\SOFTWARE\Classes\CLSID\*\InprocServer32'. Such modifications often involve parameters indicating a new value (DLL path) is being added. This detection is particularly significant in identifying attempts to manipulate legitimate system utilities for nefarious purposes.