This rule identifies instances of reg.exe being initiated from a command prompt (cmd.exe) in a manner that suggests it was not directly started by the user, indicated by the presence of a parent process other than explorer.exe. The behavior is particularly concerning because reg.exe is commonly associated with registry modifications, which may serve as a mechanism for persistence or altering system configurations. Such actions, if malicious in nature, could enable an attacker to escalate privileges or maintain access to the system while obscuring their activities. The detection is powered by EDR agents, utilizing specific events from Sysmon and Windows Event Logs, as well as data from CrowdStrike, focusing on the relationship between processes and their hierarchy.