This detection rule identifies unauthorized modifications to autostart extensibility points (ASEP) in the Windows registry using the command-line utility reg.exe. The rule aims to alert security teams to potential persistence mechanisms employed by malicious software, as changes to specific registry keys are often indicative of attempts to persist on a compromised system. The rule includes two selection criteria: the first targets the reg.exe process, while the second examines command-line arguments that modify critical registry paths associated with autostart functionality. Notably, legitimate software installations and administrative actions may also modify these keys, presenting a challenge in differentiating between benign and malicious activities. The rule has been structured to generate an alert for any instances where reg.exe is executed with commands that directly add or modify these sensitive registry locations, requiring analysis of the CommandLine and ParentCommandLine fields for proper context evaluation.