The detection rule 'Credentials in Registry' aims to identify adversary activity where they search the Windows Registry for insecurely stored credentials. This technique is frequently exploited by various threat actors, including APT groups and ransomware operators. The Windows Registry can contain sensitive information such as passwords and other security-related data, which adversaries may seek to extract for further compromise. This rule primarily leverages EDR (Endpoint Detection and Response) logs to monitor process activity that involves querying and saving sensitive registry information related to user credentials. Notably, the rule captures both querying activity for registry keys that typically contain credentials (like HKLM or HKCU) as well as saving credentials within registry entries. Specific attention is given to processes that may exhibit that behavior, including, but not limited to, processes associated with remote access tools or password management software. The detection logic uses a combination of keywords related to both the querying and saving of credentials, supplemented by tabular outputs that provide context about the events being tracked.