This detection rule is designed to identify configurations related to the Run Once registry key on Windows systems. The configuration of this key is relevant in the context of persistence mechanisms used by malware to execute payloads on system startup, specifically using the runonce.exe utility with the /AlternateShellStartup parameter. The rule monitors registry events, specifically looking for changes to the `\Microsoft\Active Setup\Installed Components` path, focusing on entries that end with `\StubPath`. The rule includes optional filters to account for legitimate entries created by Google Chrome and Microsoft Edge, allowing for a more strict adherence to detecting potentially malicious modifications by excluding known benign activities. By structuring its logic to capture only the pertinent modifications while avoiding false positives from legitimate software, the rule aims to ensure accurate detection without overwhelming security teams with benign alerts. The rule reflects best practices in registry monitoring and highlights how threat actors might abuse system functionalities for persistence.