This analytic rule detects unauthorized modifications to the BootExecute registry key, significant for managing applications and services executed during system boot. Modifications to the key located at "HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute" can indicate attempts by malware to gain persistence, load malicious code at startup, or alter standard boot behavior. Utilizing data from Sysmon EventID 12 and 13, the rule inspects changes noted in the Endpoint.Registry datamodel. Confirmed malicious alterations could impair system stability or grant attackers unauthorized control during the boot process. The detection searches for non-null values in registry data and utilizes specific Splunk commands to filter and format the output. Additionally, organizations are advised to be aware of potential false positives and confirm they are ingesting the necessary Windows Registry information through appropriate datamodel configurations.