diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml
new file mode 100644
index 00000000000..c6458456ea5
--- /dev/null
+++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml
@@ -0,0 +1,32 @@
+title: Detect Modification of AutoAdminLogon
+id: ecd4968d-3cea-4626-a6ef-84e4e50fd415
+related:
+  - id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829
+    type: derived
+status: experimental
+description: Detects the modification of registry values DefaultUserName,DefaultPassword and AutoAdminLogon to enable automatic logon.Attacker use this technique to achieve persistence.
+references:
+    - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware
+author: MahirAli Khan (in/mahiralikhan)
+date: 2024-10-16
+tags:
+    - attack.persistence
+    - detection.threat-hunting
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_reg:
+        CommandLine|contains|all:
+            - 'reg'
+            - 'add'
+            - 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
+    selection_options:
+        CommandLine|contains:
+            - 'DefaultUserName'
+            - 'DefaultPassword'
+            - 'AutoAdminLogon'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate system administrators modifying registry settings for automatic logon.
+level: medium