This detection rule identifies the creation of new Windows Registry entries via PowerShell scripting, which could indicate malicious activity such as persistence mechanisms employed by adversaries. It leverages specific PowerShell commands known for registry manipulation, such as 'New-Item', 'New-ItemProperty', 'Set-ItemProperty', and aliases 'sp' and 'sip'. The rule captures events based on their Event Code, specifically monitoring for EventCodes 4104 and 4103, which correspond to PowerShell script execution logs. It employs regex to accurately parse the PowerShell commands and extracts relevant fields including time, host, user, and process name for further analysis. By understanding the registry modifications, security teams can quickly determine if unauthorized changes are being made to system settings that may conceal malicious activities or aid in maintaining an attacker's foothold within the target environment.