This rule targets modifications to the Winlogon Registry entries that may indicate persistent malware or unauthorized access applications. Specifically, it focuses on the entries located in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\, which control the behavior of the Winlogon process, particularly its ability to load additional helper DLLs. By utilizing PowerShell's Script Block Logging feature, the rule watches for suspicious commands that attempt to alter these Registry values using .NET-based operations like Set-ItemProperty or New-Item. The detection condition specifies that both of these command sets must be present within the same PowerShell session, which reduces the likelihood of false positives while ensuring relevant monitoring. This rule is particularly essential for maintaining security against persistence techniques used by attackers.