This detection rule identifies the exportation of a Windows Registry key to an Alternate Data Stream (ADS) using the 'regedit.exe' command. The rule specifies that the alert is triggered when the regedit executable is used to create a stream that may contain sensitive registry information hidden from standard viewing methods. The detection logic examines the process image to ensure it concludes with '\regedit.exe'. Given the nature of ADS, such actions are often characteristic of attempts to evade detection mechanisms by obscuring data. The references provided offer further reading on the implications and methodologies surrounding the usage of registry exports and alternate data streams within Windows environments. This rule is categorized under defense evasion techniques and aims to enhance visibility into potential malicious maneuvers.