This rule detects the addition of new Dynamic Link Libraries (DLLs) to the AppInit_DLLs registry key on Windows operating systems, specifically in the Windows NT environment. The AppInit_DLLs setting, located at the registry path HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows, specifies DLLs that the user32.dll loads into every process that invokes it. This capability can be exploited by malware to persist and execute arbitrary code in the context of various processes, enhancing its stealth and control. The detection logic checks for changes made to the AppInit_DLLs registry keys and flags any additions. The rule is designed to minimize false positives by ensuring that both specific selection criteria are met while filtering out irrelevant entries. This monitoring is crucial for identifying potential malicious activities associated with DLL injection techniques and maintaining system integrity.