This detection rule is designed to identify adversary activities involving the Windows Registry, which is often utilized by threat actors to gather critical information about a system's configuration and installed software. The detection logic is tailored for use with Splunk and focuses on specific Windows Event Codes (4103 and 4104), which are indicative of registry-related activities. The rule looks for commands executed through both native registry tools (`reg.exe`) and PowerShell cmdlets, such as `Get-Item` and `Get-ItemProperty`. It employs Splunk's search and statistical functions to analyze the frequency of processes interacting with the registry, thereby highlighting unusual patterns that might indicate a compromise. The rule targets various known threat actor groups, including APT29 (Nobelium), APT33, and notable malware strains like Emotet and Dridex. This provides a robust mechanism for detecting unwanted registry queries, which could signify reconnaissance or malicious software activity.