This detection rule identifies modifications to the Windows Registry keys under the "\Software\Wow6432Node\Classes" path, which are often exploited by adversaries to achieve persistence on a system. By adding entries to the Registry under this path, malware can set programs to execute automatically when a user logs in, thereby abusing the normal autorun functionality of the operating system. This rule specifically detects events logged by Sysmon (EventID 1 and EventID 13), capturing various registry manipulation commands such as 'Add', 'Set-ItemProperty', and others associated with registry modifications. The captured data will reveal the time and host of the event, the user account involved, and the specific process attributes related to the modification of the autostart extensibility point (ASEP). By monitoring these registry changes, organizations can detect and potentially mitigate unauthorized persistence mechanisms employed by malware. Correlating these actions with the associated permissions level of the user account executing the commands is crucial because it denotes the potential impact and privilege escalation possibilities inherent in such modifications.