This detection rule aims to identify the execution of the 'reg.exe' command with the 'restore' parameter, typically employed to restore registry backup data on Windows hosts. It leverages data from Endpoint Detection and Response (EDR) agents, utilizing process execution logs and command-line arguments. The significance of this activity lies in its potential association with post-exploitation scenarios, including tactics often utilized by attackers, such as the use of tools like winpeas, which manipulate registry settings via 'reg save' and 'reg restore'. If detected as malicious, such actions could enable an attacker to undo crucial registry changes, facilitating persistence and possibly circumventing security measures. The rule aggregates logs from various sources, including Sysmon EventID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2, to provide a comprehensive overview of registry manipulation attempts.