This detection rule is focused on identifying the execution of RegSvcs.exe and RegAsm.exe, which are Windows command-line utilities used for registering .NET Component Object Model (COM) assemblies. Adversaries may leverage these utilities to proxy the execution of malicious code through trusted Windows processes, posing a security risk. The rule examines process events to detect when either RegSvcs.exe or RegAsm.exe is initiated. It uses a KQL (Kibana Query Language) query that filters for events categorized as 'process' where the event type indicates either 'start' or 'process_started'. The risk score of this rule is assessed as low, and it specifically targets Windows environments. Given that this rule is marked as deprecated, it is no longer advised for active use, but its capabilities can provide insights about earlier detection strategies pertaining to potential execution of signed binaries in a malicious context.