This detection rule identifies instances of the Windows process regsvcs.exe running without any command line arguments, which may indicate malicious activity such as process injection. The absence of command line arguments when regsvcs.exe is executed can be a sign of an attempt to manipulate the process for nefarious purposes, such as evasion of security controls or execution of altered code. The rule utilizes telemetry from Endpoint Detection and Response (EDR) solutions, particularly focusing on Sysmon EventID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2 data sources to monitor process executions, paths, and parent-child process relationships. If this activity is confirmed to be malicious, it can lead to severe consequences like privilege escalation, persistence infections, or potential exfiltration of sensitive information.