This detection rule monitors modifications to the autostart extensibility point (ASEP) in the Windows registry, specifically within the \SOFTWARE\Microsoft\Windows NT\CurrentVersion path. Changes to this area can indicate persistent threats or malware that attempts to execute automatically on system startup by manipulating registry keys related to system initialization and application execution. The rule employs several filters to distinguish between legitimate modifications (such as those made by trusted applications) and potential malicious activities. It includes filters for various known processes and applications such as Microsoft Office and OneDrive, while focusing on specific registry keys that are frequently targeted by attackers. Proper logging and data analysis from these registry changes can assist in identifying unauthorized modifications and improving endpoint security.