The Auto Admin Logon Registry Entry analytic detection rule identifies suspicious modifications to the Windows registry that activate auto login for the administrative account. It specifically monitors changes to the 'AutoAdminLogon' registry key located in 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', using Sysmon's EventID 12 and 13. Such activity is notably linked with BlackMatter ransomware attacks, which exploit this feature to ensure persistent access to compromised systems following reboots, especially into safe mode. If attackers succeed in enabling auto login, they can maintain control and potentially execute further malicious operations, leading to extensive data encryption and loss across networks. The rule's implementation requires logging from endpoints that capture registry modifications and using Sysmon TA version 2.0 or above for optimal performance.