This rule aims to detect potential persistence mechanisms leveraged by malicious actors through the manipulation of registry values on Windows systems. Specifically, it focuses on the 'UserInitMprLogonScript' registry value, which can be altered to execute arbitrary scripts during user logon. Such modifications are a common tactic for establishing persistence within a compromised environment. The rule captures events related to the creation of this registry key (EventType: CreateKey) and checks if the new key contains the specified value, indicating potential malicious activity. Analysts are advised to further investigate the contents of this registry value to ascertain whether the added script is legitimate, thus helping to mitigate false positives. This detection rule is classified as medium in severity and is part of a broader set of techniques aimed at tracking persistence and lateral movement within an attack framework.