This threat detection rule identifies modifications to specific Windows registry values that disable the logoff functionality, which could suggest malicious activity, particularly ransomware attempts to hinder user actions and prolong control over the compromised host. Utilizing the Endpoint.Registry data model, the rule examines Sysmon-generated events (EventID 12 and EventID 13) to spot changes in the registry paths and values associated with the logoff feature. Analyzing these modifications is crucial since they can obstruct incident response efforts. If the remediation process is undermined, this creates opportunities for attackers to maintain persistence in the affected environment. The ruling is particularly relevant in environments where user logoff or system shutdown are critical operations, necessitating careful logging and monitoring of registry activities by administrators.