This detection rule identifies the execution of the Windows `reg.exe` command used to hide files or directories via registry modifications. The focus is on command-line arguments indicative of using the `reg add` command with parameters that suggest the intention to set the hidden attribute on files. Specifically, it tracks instances where processes indicate 'add', 'Hidden', and 'REG_DWORD' in their command-line execution. This analysis helps in identifying potentially malicious activities related to Windows defense evasion tactics. The rule utilizes data from Sysmon EventID 1, extracted through Splunk's technology, and mandates the ingestion of relevant endpoint telemetry to ensure accurate detection.