This detection rule focuses on identifying instances where the regsvr32.exe binary has been renamed before execution. The renaming of regsvr32.exe can signify an evasion tactic employed by attackers to circumvent security measures, as this executable is often utilized to register and execute DLLs. Detecting such modifications can signify potentially malicious behavior, including unauthorized DLL executions, code execution, privilege escalation, or persistence within compromised systems. The rule leverages data from Endpoint Detection and Response (EDR) tools, specifically examining original filename metadata to match against renamed instances. The substantial backtracking of event logs and process executions is performed using Splunk, offering detailed insights into the execution context. Key data sources involved include Sysmon EventID 1 and security-related logs from CrowdStrike, reinforcing the overall efficacy and importance of this detection mechanism.