This detection rule focuses on identifying unauthorized modifications to the Windows Registry by monitoring the usage of the reg.exe utility. The rule is designed to track processes that involve the addition or alteration of registry keys or subkeys that are commonly targeted by adversaries for malicious purposes. Specifically, it looks for instances where reg.exe is invoked to change registry paths associated with security settings and operational configurations of the Windows operating system. This includes registry paths located in the AppData folder, policies for Windows, and security providers such as WDigest. The rule employs a structured approach by defining two main selection criteria: command line arguments containing specific sensitive paths and the execution of reg.exe itself. It triggers an alert when both criteria are met, indicating a high probability of a potentially malicious activity. The ongoing monitoring of registry modifications is crucial for detecting tactics often deployed in privilege escalation and defense evasion scenarios, as described in the ATT&CK framework references provided.