This detection rule identifies potential persistence mechanisms used by adversaries via unsigned processes writing to the Windows Startup folder. The Startup folder is a critical location for program execution automatically at user logon, making it an attractive target for attackers aiming to achieve persistence without user intervention. The rule employs a sequence detection strategy, looking specifically for processes that are not explicitly trusted, and which write files to the Startup folder, potentially indicating malicious intent. The Osquery component aids in the investigation by querying the DNS cache and service details, providing valuable insights into the operational context during such events. To mitigate false positives, it highlights the need for thorough investigation as benign applications may also write to these folders during updates or installations. The rule includes comprehensive triage, response, and remediation steps to address any confirmed persistence mechanisms identified.