This detection rule monitors changes to the `UserInitMprLogonScript` registry entry, a modification frequently exploited by attackers to achieve persistence and elevates privileges when a system starts. The rule taps into the Endpoint.Registry data model to track activities related to this specific registry path, as alterations here are a common tactic employed by Advanced Persistent Threats (APTs) and malware. By detecting these changes, security teams can identify attempts to maintain unauthorized access on compromised endpoints and potentially escalate privileges. The conditions set within this rule ensure that any modification—whether an addition or deletion—triggers an alert for further investigation. Implementing this detection requires robust integration of logging mechanisms from endpoint detection systems, such as Sysmon or similar technologies. Confirmed malicious changes could indicate the presence of advanced threats necessitating immediate remediation to protect the vulnerable host.