This detection rule identifies potentially suspicious executions of the Regasm and Regsvcs utilities, which are commonly used for .NET applications. The rule is specifically tailored to monitor their invocation from uncommon or suspicious file paths. Such behavior might indicate malicious intent, especially if these binaries are executed from directories typically used by legitimate applications, such as AppData, Temp folders, or Startup locations. The rule inspects command lines for specific parameters and file locations associated with these executables. The focus on non-standard directories for execution adds an additional layer of risk assessment, highlighting attempts that may evade conventional detection mechanisms.