This detection rule focuses on monitoring and identifying instances where suspicious registry keys are created on Windows systems. Adversaries often utilize this technique to maintain persistence and execute malicious payloads by adding programs through Registry run keys or exploiting Image File Execution Options (IFEO) keys. Such keys can be manipulated to ensure that a malicious program executes automatically when a legitimate process exits silently. The rule captures events corresponding to Event Code 4657, which indicates that a new registry value has been created, specifically targeting extensions commonly associated with malicious activity such as '.vbs' and '.dll'. The Splunk logic is designed to filter and aggregate these events, checking for suspicious patterns and limiting the frequency of similar events in a defined time span, thus enabling analysts to detect potential adversary actions effectively. Multiple Advanced Persistent Threat (APT) groups, including APT29 and TA505, have been known to leverage these techniques to blend in with normal system operations, making this rule critical for threat detection in Windows environments.