This threat detection rule identifies the invocation of `reg.exe`, a Windows utility for interacting with the Windows registry, which can be exploited by adversaries for reconnaissance purposes. The rule specifically tracks the execution of `reg.exe` with command-line arguments that indicate querying activities about critical system information stored within the registry. It highlights the potential use of the registry to extract data such as credentials, system configuration details, and information about installed applications. By monitoring for specific command-line patterns and registry paths that are commonly accessed during such activities, this rule aims to detect malicious reconnaissance behaviors typical of attackers seeking to gather intelligence on a compromised system. The detection focuses on ensuring that the command is not benign by checking against known false positives, such as processes associated with Discord.