The detection rule targets Windows registry entries that indicate the execution of potentially malicious programs during system startup. Specifically, it identifies new RUN key entries that point to suspicious locations often utilized by malware to maintain persistence, such as temporary folders or the recycle bin. The key detection mechanism is set to trigger if it observes a new RUN key being created with target object paths within `SOFTWARE\Microsoft\Windows\CurrentVersion\Run\` or `RunOnce\`, while also checking if the path directs to folders commonly associated with malicious activities. This includes paths starting with `%Public%`, `wscript`, or `cscript`. Additional filters are applied to ignore legitimate instances associated with Windows updates. Due to this specificity, the rule aims to filter out false positives that may occur from legitimate software utilizing unusual folder paths for updates. The rule is categorized under high severity and pertains to persistence techniques used by attackers.