This detection rule aims to identify modifications made to registry keys that disable System Restore on Windows machines. It focuses on specific registry paths associated with System Restore settings using the Endpoint.Registry data model. The significance of this activity lies in the fact that disabling System Restore can severely hinder the recovery process for compromised systems, making it a common tactic employed by Remote Access Trojans (RATs) to ensure persistence on infected machines. The detection rule utilizes Sysmon EventID 12 and EventID 13 logs to track these changes. By executing the specified search command in a Splunk environment, security teams can gain insights into potential malicious activity related to registry modifications that could lead to sustained malware presence on endpoints, ultimately allowing for proactive incident response actions to prevent further damage or data loss.