This detection rule monitors the usage of the Windows command-line utility 'reg.exe' to add new registry keys. The Windows registry is a crucial component for system configuration and software management. Its modification is often associated with malicious activities, as cyber adversaries may add or alter registry keys to maintain persistence or disable security measures on infected systems. The rule utilizes Splunk to gather endpoint data and focuses on the specific command indications of adding ('add' or 'import') registry keys. Notable threat actors linked to this behavior include APT35 and APT41, indicating that this rule can help respond to tactics used by advanced persistent threats. The detection's technique ID, T1112, categorizes it under defense evasion through registry modification, making it significant in identifying potential compromises in endpoint security.