This detection rule identifies potential adversarial behavior associated with persistence techniques by monitoring for process executions that originate from the Windows Startup folder. The Startup folder is a common target for attackers aiming to maintain access to a system by ensuring that their malicious software runs each time the system starts. The rule specifically utilizes Windows event logs (EventCode 4688) to capture process creation events. It filters these events to detect any processes that are instantiated from paths that match the Startup folder. However, it should be noted that this rule does not account for the creation or execution of shortcuts (lnks) within the Startup folder. The rule captures important data points such as the process name, its parent process, the time of execution, and the associated user, enabling analysts to correlate these events with known threat actors such as APT29 and Kimsuky, as well as various software associations linked to recent cyber threats.