This detection rule identifies potential persistence mechanisms related to Logon Scripts in a Windows environment. Specifically, it focuses on the registry value "UserInitMprLogonScript", which is commonly manipulated by malware to achieve persistence. When a new command line entry containing "UserInitMprLogonScript" is detected, it signifies a possible unauthorized modification to execute commands at user logon. Given that attackers often manipulate logon scripts to maintain a foothold in compromised systems, this rule helps in mitigating potential threats. Administrators should be aware that while this rule captures malicious intent, legitimate additions by authorized personnel or third-party tools could cause false positives.