This detection rule targets attempts by adversaries to enumerate credentials from the Windows Registry, specifically insecurely stored credentials that can be exploited. The Windows Registry is a critical component of the Windows operating system, storing a wide range of configuration data, including potentially sensitive credentials. The rule is designed to detect the execution of reg.exe commands that include certain parameters indicative of credential enumeration activities. Specifically, it checks if the command line contains 'query', '/t', 'REG_SZ', and '/s', which are characteristic of queries for string values, combined with flags that specify the hives being queried—for example, HKLM (HKEY_LOCAL_MACHINE) and HKCU (HKEY_CURRENT_USER). Given that credentials may be stored by various applications, including user session information for tools like PuTTY, monitoring these registry access patterns can help identify potential malicious activities. This rule is crucial for environments where sensitive information may be at risk and allows for quick response to suspicious activities related to credential theft.