This detection rule aims to identify changes in the Windows Registry that are characteristic of the Blue Mockingbird cryptomining malware. Specifically, it focuses on monitoring modifications to the 'ServiceDll' parameter of the 'wercplsupport' service, a known technique used by the malware to persist and execute its payload. The detection is triggered when the specified registry key is modified, which typically indicates malicious activity associated with Blue Mockingbird. Prior remnants of this malware have been observed modifying service parameters to ensure their presence in a compromised environment. By analyzing these registry changes, security teams can take proactive measures to respond to potential infections.