This rule detects the creation of hidden registry keys using the NtSetValueKey API on Windows systems, indicating potential adversary persistence mechanisms. Hidden registry keys can be utilized to disguise malicious entries from traditional system tools such as the Registry Editor. When detecting changes, the rule specifically focuses on registry paths commonly associated with startup applications, where malicious actors might attempt to establish persistence. The detection incorporates the use of Elastic EQL (Event Query Language) and targets a variety of sources including endpoint logs and Windows Sysmon data. An elevated risk score signifies the importance of monitoring these actions, as they may indicate direct attempts to maintain control over a compromised host. Investigative actions suggested involve analyzing registry change events, checking for correlation with system activities, and assessing potential malicious intent behind the modified keys.