This detection rule identifies modifications to Windows registry keys that are often exploited for maintaining persistence by malicious actors. Specifically, it focuses on key paths commonly involved in launching applications or services at system startup. Data is sourced from endpoint detection mechanisms such as Sysmon and Carbon Black, allowing for visibility into changes to registry entries that can indicate unauthorized attempts to ensure persistent access or execute code at boot time. The rule is significant for threat detection, as it helps discover malicious activities aimed at compromising system integrity and control. Keywords in the rule include persistence, registry keys, and unauthorized modifications, with attention to false positives from legitimate software behavior. The implementation requirements ensure sufficient logging of registry activity through effective endpoint monitoring solutions.