This analytic rule detects suspicious modifications to the Active Setup registry key, specifically the 'StubPath' value under the path 'SOFTWARE\\Microsoft\\Active Setup\\Installed Components'. Such modifications can indicate attempts by malware or advanced persistent threats (APTs) to establish persistence and elevate privileges on compromised systems. The detection relies on Sysmon EventID 12 and 13 to monitor registry activities, as changes in this registry path are often associated with unauthorized software maintaining persistence across system reboots. If malicious intent is confirmed, attackers may exploit these registry changes to execute arbitrary code during system startup, potentially leading to further compromise. The approach features a search query that collects and analyzes the relevant registry data, focusing on events that signify alterations to critical registry entries. The rule is crafted to minimize false positives while ensuring robust detection capabilities against prevalent attack strategies.