This rule identifies modifications made to Windows registry run keys or startup folder items, which are tactics often employed by attackers to achieve persistence on compromised systems. The detection logic relies on tracking changes to specific registry hives associated with user and machine startup configurations. This includes items from `HKEY_USERS` and `HKLM` intended to launch programs automatically during user logon. The rule utilizes an EQL (Event Query Language) query to detect changes in the relevant registry paths while excluding benign modifications commonly seen during software installations or system updates. Analysts are provided with triage and investigation guidance, recommending steps to identify potential threats, such as examining process execution chains and scrutinizing authenticated entries within the registry for signs of malicious behavior. The rule also acknowledges the likelihood of false positives, encouraging analysts to verify activities before escalating them. Additionally, the rule references associated Tactics, Techniques, and Procedures (TTPs) from MITRE ATT&CK framework, specifically under the Persistence tactic.