This detection rule focuses on identifying malicious activities related to the Pandemic Windows implant—a sophisticated backdoor utilized by threat actors for command and control operations. It specifically targets a registry key associated with the Windows operating system, aiming to reveal unauthorized modifications that may indicate the presence of the Pandemic malware. The detection condition is designed to flag any entries in the Windows registry that contain specific paths, particularly referencing the null service instance. Given the critical nature of this threat, any detection would warrant immediate investigation. The rule is based on known indicators of compromise and aligns with existing frameworks for identifying command-and-control interactions utilized by malware.