This detection rule focuses on identifying unauthorized modifications to Windows services via the Windows registry, which can be indicative of malicious activity, including persistence techniques commonly utilized by attackers. Specifically, it monitors the modification of registry keys associated with Windows services, using Sysmon Event IDs 12 and 13 to trigger alerts. The rule leverages Splunk to analyze registry paths, value names, and value data for suspicious changes. Such alterations may lead to increased privileges for the attacker, lateral movement within the network, and potential data breaches, ransomware deployment, or other harmful actions. By investigating events captured through this rule, security analysts can respond to and mitigate threats arising from service configuration changes that may have been made by unauthorized entities.