The rule 'Reg.exe Process Execution' focuses on monitoring usage of the 'reg.exe' utility, a key Windows command-line tool that interacts with the Windows Registry. This tool can be leveraged by both legitimate users and threat actors to manipulate registry settings, making it critical for threat detection. The rule captures events initiated by reg.exe, especially those tied to known threat actor groups such as Kimsuky, and malware families like BlackByte, Clop, Snatch, and Trickbot. By examining event logs for specific event codes and filtering for reg.exe executions, the rule looks for signs of registry manipulation that could indicate malicious activity or persistence mechanisms. An exhaustive list of atomic tests associated with various techniques underscores its relevance in the realms of defense evasion and registry discovery across endpoints. This approach not only enables organizations to spot malicious use of reg.exe, but also helps in understanding potential threats operating within the system, thus enhancing the overall security posture.