This analytic rule, titled 'Extraction of Registry Hives,' was designed to detect the exporting of sensitive Windows Registry hives using the `reg.exe` command. Such actions are often indicative of credential harvesting, as the `sam`, `system`, and `security` hives contain sensitive credential information. This rule leverages Endpoint Detection and Response (EDR) data to monitor command-line executions that include saving or exporting operations on these specific Registry hives. If executed maliciously, this behavior might suggest offline credential access attacks and could enable further exploitation and lateral movement by an attacker within a network. Despite its potential usefulness in threat detection, this rule is marked as deprecated, indicating that it should no longer be actively utilized or relied upon for security operations, and its effectiveness and applicability may have diminished over time.