This detection rule identifies the use of Regsvr32.exe, a Microsoft Windows utility used to register DLL files, when registering DLLs from suspicious paths including AppData, ProgramData, or Windows Temp directories. Threat actors may exploit Regsvr32.exe to execute malicious scripts or commands by registering DLLs from these untrusted locations, evading security measures. This rule queries process execution logs and command-line arguments collected by Endpoint Detection and Response (EDR) agents to surface potential malicious activity. Specifically, it captures instances where Regsvr32.exe was mapped to known risky directories while filtering out common DLL file extensions to reduce false alarms. The presence of such activity indicates potential compromise and, if verified, could enable attackers to run arbitrary code, leading to greater infiltration or data exfiltration.