This detection rule targets the usage of regsvr32.exe, a command-line utility used for registering and unregistering OLE controls (primarily .dll files) on Windows systems. Adversaries often misuse regsvr32 for proxy execution of malicious code, utilizing it to bypass security measures. The rule is designed to identify instances where regsvr32 is executed from unusual or frequently abused paths, such as those associated with temporary files or user directories (e.g., `Temp`, `AppData\Local`, `Users\Public`). This aligns with behaviors observed in certain malware campaigns, such as with the DarkWatchMan remote access trojan. The logic filters event logs for process creation events indicating regsvr32 usage and checks for matching file paths, tagging those instances for further analysis. To ensure efficacy, legitimate applications in normal operational paths such as `AppData\Local` should be considered for whitelisting to reduce false positives. The rule leverages Splunk syntax and focuses on correlating Windows event log data to produce relevant alerts in security monitoring contexts.