The rule "Scripting/CommandLine Process Spawned Regsvr32" is designed to detect instances where various scripting or command line processes, such as PowerShell or Wscript, spawn a regsvr32.exe process. This behavior may indicate an attempt to bypass application whitelisting or execute malicious payloads through legitimate Windows utilities. The detection logic specifies that it looks for the regsvr32.exe being spawned by common scripting parents such as cmd.exe, powershell.exe, or wscript.exe, except in cases of specific exceptions, like when executing a legitimate command line related to the RpcProxy.dll. The rule uses a combination of process creation logs and command line filtering to identify potentially malicious activity, and it is deemed to have a medium severity level. False positives may occur with legitimate scripts that utilize similar processes, hence it's recommended to apply additional filtering. The rule is relevant in the contexts of defense evasion tactics (T1218.010) as referenced by the ATT&CK framework. The detection was authored by Florian Roth and Nasreddine Bencherchali of Nextron Systems, and the rule has been put in a testing status as of May 26, 2023.