This detection rule identifies instances of the Regsvcs.exe process establishing a network connection to public IP addresses, leveraging Sysmon EventID 3 logs. Regsvcs.exe is a legitimate executable signed by Microsoft, but its usage for initiating connections to external IPs can indicate potential threats such as Command and Control (C2) callbacks. Since the process may be exploited to bypass application control systems, any identified connections warrant immediate investigation. The rule aims to mitigate risks associated with privilege escalation and data exfiltration that could arise if malicious activity is confirmed.