This rule focuses on detecting fileless storage techniques utilized by the NjRat malware through suspicious modifications to the Windows Registry. NjRat is known for its capabilities such as keylogging and executing malicious DLL files without relying on traditional file-based methods, thus evading standard detection mechanisms. The detection uses Sysmon Event IDs 12 and 13 to monitor specific registry paths and value data that are often manipulated by NjRat. This proactive monitoring is crucial for security operations center (SOC) analysts as it aids in identifying potential persistence strategies by attackers, which could lead to unauthorized access and data breaches. Effective implementation requires that the Endpoint data model is populated with process changes and that the relevant Splunk CIM App and Technology Add-ons are up-to-date.