This detection rule aims to identify modifications made to Windows registry autorun keys, which are commonly used techniques for persistence by malicious actors. The rule specifically looks for changes within key registry paths where malicious software can register themselves to automatically run at system startup. These paths include `Run`, `RunOnce`, `RunServices`, and `RunServicesOnce` in the Windows registry. The logic employed involves capturing event codes generated from endpoint data via Sysmon, particularly looking for EventCode 1 which indicates a process creation event. The detection mechanism utilizes Splunk commands to filter and extract relevant information from these events, allowing analysts to pinpoint unauthorized changes made to the autorun keys. Given the wide array of threat actors associated with these modifications, this rule can indicate potential compromise if unexpected updates are detected within these registry keys. Notable threat actor associations include groups like APT28, APT29, and FIN7, among others, who are known to utilize such tactics in their operations.