This detection rule alerts on the use of the 'reg.exe' command to export registry paths linked to third-party credentials, a technique commonly employed by credential theft malware. Since attackers often leverage legitimate system tools for malicious purposes, including registry exports, this rule focuses specifically on certain known paths where sensitive information may reside. The criteria for triggering this detection include the execution of 'reg.exe' along with command line arguments indicating a save or export operation, targeting specific software registry entries known to contain credentials. The rule facilitates the identification of potential credential extraction attempts, and falls under a high-severity classification due to the sensitivity of the information potentially exfiltrated via such methods.