This detection rule identifies the execution of the regsvr32 executable from highly suspicious file paths, which often indicate potential malicious activity or exploitation. Regsvr32 is a legitimate Windows utility used to register and unregister OLE controls and DLL files; however, threat actors may abuse this utility to execute malicious payloads while evading detection. The rule analyzes process creation events originating from the Windows environment, focusing on command line arguments that specifically mention regsvr32.exe. The guidance is to monitor for this executable being executed from uncommon and potentially harmful directories such as PerfLogs, Temp, and several other paths typically not associated with legitimate activity. The rule effectively filters out known safe directories such as Program Files and Windows system directories to reduce false positives. The analytical conditions require the presence of specific command line patterns that suggest an anomalous usage of regsvr32 that merits further investigation, categorizing it with a high severity level due to the associated risks of evasion tactics used by adversaries.