This detection rule identifies the installation of known remote access software in persistence locations on endpoints, assessing threats posed by adversaries who use these tools to maintain remote access. The rule scans Windows Registry entries identified with Sysmon Event IDs 12 and 13 for common paths where such software is configured to run automatically on startup, including `Microsoft\Windows\CurrentVersion\Run` and `SYSTEM\CurrentControlSet\Services`. It utilizes a lookup table to check against known remote access utilities like AnyDesk, LogMeIn, and TeamViewer, among others. If a match is found, it triggers an alert indicating potential unauthorized remote access software usage, encouraging further investigation and response.