This detection rule is designed to monitor malicious additions to the Windows registry that may indicate persistence mechanisms by threat actors. It specifically targets the creation of registry entries (such as DLL or EXE files) in key user-specific or system-wide locations that execute upon user login. This is indicative of common tactics used by threat actors to maintain a foothold in compromised systems. The detection framework leverages Sysmon logs to detect relevant registry modifications that match typical file naming schemes associated with common malicious activity within the 'Temp' and 'Common Files' directories. The rule employs a filtering mechanism using Splunk to identify these changes and summarize relevant data points such as the user, host, process names, and the created registry entries for further analysis and response activities.