The rule 'Windows Modify Registry Risk Behavior' aims to identify potential malicious activity involving multiple registry modifications on Windows systems. Specifically, it detects instances where three or more distinct registry modification events are detected, associated with the MITRE ATT&CK Technique T1112, which pertains to 'Modify Registry'. This analytic leverages data from the Risk data model in Splunk, focusing on specific registry sources and associated MITRE annotations. The strategy behind monitoring such behaviors is to spot possible intentions of attackers to create persistence mechanisms, conceal nefarious configurations, or eliminate forensic indicators of their activity. A confirmed detection could signal a significant risk where attackers maintain enduring access, execute unauthorized code, and evade traditional detection measures, thereby compromising the systems’ integrity and security.