This detection rule identifies the manipulation of Windows service registry keys using the reg.exe utility. It is specifically designed to monitor data from Endpoint Detection and Response (EDR) solutions, looking for specific patterns in process names, parent processes, and command-line arguments related to reg.exe. This behavior is critical to detect since unauthorized changes to service configurations may signify an attacker’s attempt to establish persistence on a host or escalate privileges through service manipulation. If this activity is confirmed as malicious, it could lead to attackers controlling service behavior, risking unauthorized code execution or system compromise. The rule aggregates logs from various sources like Sysmon and Windows Event Log to correlate potentially malicious processes that interact with registry keys related to services, indicating abnormal system behavior that requires further investigation.