This rule detects the import of an alternate data stream (ADS) to the Windows registry using the 'regedit.exe' tool. The detection is specifically triggered when a command line for regedit contains parameters indicative of ADS usage, such as typical patterns associated with file input (e.g., using '.reg' file extensions). The detection framework focuses on monitoring process creation events where regedit is used in the context of modification to the registry, revealing potential attempts at evading security measures or conducting nefarious activities. Notable indicators to consider include the presence of certain command line patterns that suggest the loading of registry information from an alternate data stream, which could be utilized in various attack strategies. The rule produces a high severity alert, indicating the critical nature of the activity being tracked as it relates to potential evasion techniques.