This detection rule targets potential persistence mechanisms via the use of Excel add-ins (specifically, XLL files) which can be exploited to ensure that malicious code runs automatically when Microsoft Excel is launched. The rule monitors Windows Registry changes, specifically looking for indicators that an attacker may have created or modified registry entries related to Excel options. The selection criteria include the presence of certain entries within the 'Software\Microsoft\Office\Excel\Options' path, the beginning of the details string indicating a run command ('/R '), and an ending indicating the inclusion of an XLL file. If these conditions are met, the rule triggers an alert, which could indicate a malicious attempt for persistence on the host system. This rule is particularly relevant given the increasing usage of Office applications as vectors for persistence by advanced threat actors, and emphasizes the need for real-time monitoring of user-generated Registry changes that deviate from the normal operational behavior of the applications.