Detects attempts to modify the AppCertDLLs registry keys used by the Windows Session Manager to load DLLs at startup. Modifications to these keys can be abused to preload malicious code during early system startup, enabling persistence and privilege escalation. The rule surfaces anomalous process activity that references the AppCertDLLs path via command-line or related process activity, indicating potential tampering. It correlates endpoint process telemetry from Sysmon (Event ID 1), Windows Security log (4688), and CrowdStrike ProcessRollup2 to provide context such as process name, hashes, user, parent process, and command-line details. If confirmed malicious, the activity may lead to system compromise and evasion of controls.