This rule detects the unauthorized execution of Windows registry commands specifically targeting safe boot registry keys via 'reg.exe'. The detection logic focuses on the command line arguments used when executing 'reg.exe', looking for instances that include both 'add' or 'copy' flags, as well as references to the safe boot registry path (\SYSTEM\CurrentControlSet\Control\SafeBoot). Attackers commonly exploit these commands to enable ransomware to operate in safe mode, circumventing some security measures that may not be active in such a state. By establishing this detection, organizations can better defend against threats that aim to manipulate system boot configurations to aid malicious activities.