This analytic rule targets suspicious modifications to the Windows Update configuration registry key "UseWUServer" that can indicate malicious activity. Specifically, it looks for the registry value being set to "0x00000001," which is commonly exploited by threat actors such as the RedLine Stealer malware to undermine detection systems and potentially leverage vulnerabilities. The detection rule uses data from Sysmon events (EventID 12 and EventID 13) and operates within the Endpoint.Registry data model, allowing security teams to track changes to registry settings that could signal malicious intent. Upon detection of the configured value, further investigation is warranted to determine the legitimacy of the modification, especially in light of Potential false positives arising from legitimate administrative changes. Overall, this rule aids in identifying potential evasion techniques used by attackers.