The rule "Sensitive Registry Hive Access via RegBack" monitors for unauthorized access attempts to sensitive registry hives (specifically, SAM and SECURITY hives) located in the Windows Registry backup folder (RegBack). These hives store credentials — cached local credentials in the SAM hive and domain credentials in the SECURITY hive. Accessing or dumping these hives provides attackers with the means to decrypt stored sensitive information. The rule utilizes EQL (Event Query Language) to identify successful open events on the relevant registry hive files, filtering out legitimate processes like taskhost.exe. The investigation process includes examining unknown process chains, verifying user actions, and searching for potential credential exfiltration. The rule emphasizes incident response actions, such as user credential resets and system reimaging, to mitigate any risks posed by detected activities. False positives may arise from legitimate administrative actions, hence validating user intentions is crucial during investigations. The rule is categorized under high risk with a severity rating of 73 and is classified as a part of the 'Credential Access' tactic in the MITRE ATT&CK framework.