This detection rule identifies potentially malicious network connections initiated by the Windows executable Regsvr32.exe, which is commonly used for registering ActiveX controls and DLLs. Malicious actors may exploit this functionality for unauthorized actions, including bypassing security measures. The rule checks for any network connection that has been initiated specifically by Regsvr32.exe, which may indicate an attempt to execute payloads or communicate with remote servers covertly. By monitoring such activities, organizations can increase their defense against application-layer attacks and better respond to potential breaches. The rule incorporates selection criteria that look for established connections with the process image ending in 'regsvr32.exe'. Users need to evaluate the results since false positives are expected due to the legitimate use of Regsvr32.exe in administrative contexts. This rule aims to enhance visibility over network activities associated with potential evasion tactics employed by threat actors.