This detection rule identifies instances where a Windows logon script registry key is added, which can indicate an attempt by adversaries to establish persistence on the system. The logic query is structured to select events from the 'crowdstrikefdr_process' data source where the event matches specific criteria: it looks for the execution of 'reg.exe' with the 'add' action targeting the 'UserInitMprLogonScript' within a timeframe of the last two hours. This behavior is commonly associated with adversaries modifying system settings to ensure that malicious scripts run during user logon, thereby maintaining their foothold in a compromised environment. The rule focuses on Windows platforms and correlates with the MITRE ATT&CK techniques related to persistence through logon scripts, which could also lead to privilege escalation. The provided reference offers further insight into the operational tactics of threat actors known for exploiting such vulnerabilities.