This anomaly rule detects modifications to the Windows RemoteAccess registry entry (specifically under Services\RemoteAccess\RouterManagers\Ip*) that malware or threat actors may leverage to gain persistence by injecting a DLL to be loaded during startup. The detection targets Sysmon EventID 13 (registry modification) and uses the Endpoint.Registry data model to surface registry_path, registry_value_data, and related fields, along with the process information responsible for the change. The rule notes that Gh0st RAT has been observed using this technique. When the registry key/value is modified, the rule can trigger investigations into whether the change is legitimate (e.g., software updates or admin-driven configurations) or malicious. It is recommended to review system services events, especially remote access services, to correlate the change with the source and to apply filters to reduce false positives. The rule is associated with MITRE ATT&CK T1112 (Modify Registry) and emphasizes the need for current CIM App (4.20+) and the endpoint TA to ensure reliable data ingestion. Known false positives include legitimate administrative changes to RemoteAccess settings; investigators should verify the source, signed executables, and the executing process before taking action.