This rule identifies potential malicious behavior associated with Registry Persistence via AppInit DLLs on Windows systems. AppInit DLLs are dynamic-link libraries that are executed in user interface processes and can be manipulated by attackers to execute arbitrary code with elevated privileges. The rule monitors registry changes specific to AppInit DLL paths, which can be indicative of persistence mechanisms employed by malware. It utilizes EQL (Event Query Language) to filter changes to registry keys that are typically leveraged for such purposes. Additionally, various queries are provided using Osquery to aid in the investigation by collecting relevant data about running services, DNS caches, and other artifacts that may indicate compromise. An investigation guide is included to help analysts understand next steps in the investigative process and to address any false positives that may arise from legitimate application behaviors. Lastly, the rule adheres to MITRE ATT&CK framework techniques for Persistence and Defense Evasion, offering a structured approach to identifying and responding to such threats effectively.