diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml
index 54a382a8b..e163cc096 100644
--- a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml
+++ b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml
@@ -52,6 +52,7 @@ detection:
             - 'rundll32.exe'
             - 'cmstp.exe'
             - 'msiexec.exe'
+            - 'reg.exe'
     filter:
         Image|endswith:
             - '\powershell.exe'
@@ -69,6 +70,7 @@ detection:
             - '\rundll32.exe'
             - '\cmstp.exe'
             - '\msiexec.exe'
+            - '\reg.exe'
     condition: selection and not filter
 falsepositives:
     - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist