This rule identifies the execution of Regsvr32.exe with specific silent command-line switches (-s or /s) based on EDR telemetry. This behavior is often leveraged by malware, such as IcedID, to stealthily load harmful DLLs into memory, evading detection from conventional monitoring systems. Detection is achieved by monitoring command-line executions across endpoints and focusing on Regsvr32 activities. Should this behavior be deemed malicious, it could facilitate arbitrary code execution, enable the downloading of additional malicious payloads, and permit further system compromise. Immediate investigation and potential isolation of the affected endpoint are crucial for mitigating risks.