This analytic rule detects suspicious modifications to the Windows auto update configuration registry, specifically targeting the registry path "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates" with a value set to "0x00000000". Such changes are often exploited by threat actors, including malware variants like RedLine Stealer, to disable automatic updates—a tactic that can facilitate malicious activities by making it easier for these adversaries to deploy additional payloads without detection. If such modifications are confirmed malicious, they can significantly undermine system defenses and open pathways for further compromises or exploitation of zero-day vulnerabilities. The detection utilizes Sysmon EventID 12 and 13 for monitoring registry modifications associated with this key. Awareness of the implications of this registry change, particularly in a corporate environment with potential attackers attempting to maintain persistence, is crucial.