This detection rule monitors for modifications to specific Windows Registry keys that could indicate the usage of malware, particularly those techniques utilized by malware like Agent Tesla. The rule is designed to alert security teams when changes are made to settings that disable internal Windows tools or features, which could facilitate unauthorized access or actions within a system. Specifically, it looks for changes in Registry keys that control the functionality of the start menu logoff, lock workstation, registry tools, task manager, and other system features. The primary focus is on detecting sets where these keys are altered, with both enabling (DWORD = 0) and disabling (DWORD = 1) configurations being tracked. A successful match from either selection set triggers the alert, facilitating timely responses to potential compromises.