This analytic rule detects the execution of regasm.exe making network connections to public IP addresses while excluding private IP ranges. Utilizing Sysmon EventID 3 logs, the rule highlights a potential threat where a legitimate Microsoft binary, regasm.exe, is exploited to create a Command and Control (C2) channel by an adversary. Such behavior, if confirmed as malicious, could lead to privilege escalation and further attacks within an environment. Special attention is required due to its potential to bypass application control mechanisms, making detection essential for maintaining security in the IT infrastructure.