This rule identifies processes querying the Windows registry for sensitive credentials, utilizing data from Endpoint Detection and Response (EDR) systems. It specifically monitors command-line executions that access registry paths associated with stored passwords, which are common targets for credential theft by malicious actors or tools like winPEAS. The presence of such activity is a strong indicator of potential attacks aiming for privilege escalation, persistence, or lateral movement within a network, thus representing a critical security concern. The detection leverages multiple data sources, including Sysmon and Windows Event Logs, to effectively monitor for these suspicious activities. Implementing this detection requires the integration of EDR logs into a suitable datamodel within Splunk, ensuring normalized field usage for efficient analysis.