This threat detection rule identifies enumeration or discovery activities related to the Windows registry performed using the 'reg.exe' command-line utility. The primary focus is on instances where processes begin with the name 'reg.exe' and where the command arguments include 'query'. This behavior can be an indication of attackers gathering sensitive information from the Windows registry that could potentially facilitate further malicious actions or privilege escalation. The rule is defined in EQL (Event Query Language) and is applicable to multiple log sources including endpoint events and Windows logs. Given its low risk score of 21, it is categorized under the 'Discovery' tactic of the MITRE ATT&CK framework, with particular emphasis on the T1012 technique, which pertains to querying registry information. Furthermore, it's essential to note that this rule has been deprecated as of April 15, 2021, having been created on December 4, 2020.