This detection rule identifies potential persistence strategies used by attackers through the registration of custom protocol handlers in the Windows registry. Legitimate applications frequently register protocol handlers during their installation processes; however, malicious actors can exploit this functionality by creating their own custom handlers that may maintain persistence on a system. The rule specifically looks for registry entries that start with 'HKCR\' and have details that begin with 'URL:', indicating a custom protocol registration. To reduce false positives related to legitimate applications, additional filters are applied to review whether the URL begins with 'ms-' or if the image path falls within common locations for Windows system files and applications. The detection is classified under medium severity, reflecting the potential impact of such persistence mechanisms if employed by threat actors.