This rule detects a persistence mechanism exploited by attackers to maintain backdoor access on Windows systems via the Sticky Keys feature. Attackers replace the default Sticky Keys executable (`sethc.exe`) with the Command Prompt executable (`cmd.exe`). This technique allows unauthorized users to trigger an elevated command shell without needing to authenticate, simply by activating the Sticky Keys shortcut (usually pressing Shift five times). The rule monitors for specific command line operations that correspond to this malicious replacement activity, focusing on the copying of the Command Prompt executable to the Sticky Keys location. A critical alert is generated when the detection criteria are met, indicating potential unauthorized system access. Further investigation is recommended whenever this alert is triggered, as it could indicate a security breach.