This detection rule identifies attempts to maintain persistence on Windows systems by monitoring changes to registry keys associated with AppCert DLLs. AppCert DLLs are dynamic link libraries that are automatically loaded by Windows processes when they utilize certain API functions for process creation. While this mechanism is intended for legitimate software compatibility, malicious actors can exploit it to insert harmful DLLs, thereby ensuring that their code executes repeatedly on the system, even after reboots. The rule is configured to log events related to changes in specific registry paths related to AppCert DLLs and employs EQL (Event Query Language) for querying logs from various data sources such as Winlogbeat and Sysmon. Analysts can use the detailed Triage and Analysis section to investigate alerts triggered by this rule, including identifying unauthorized changes, reviewing event logs for suspicious user behavior, and implementing response actions such as isolating affected systems and removing malicious entries from the registry.