This detection rule identifies potentially malicious activities involving the Windows utility REGSVR32.exe, a legitimate tool used for registering and unregistering COM DLLs. Attackers may exploit this utility by executing it with DLL files that are disguised as benign file types, misleading security products and users. The rule selects process creation events where REGSVR32.exe is invoked with certain suspicious file extensions, which are typically not associated with legitimate DLL files. The command line parameters are checked to see if they end with extensions like .bin, .bmp, .jpeg, .txt, among others, indicating a possible evasion tactic. The detection combines the examination of the image name and command line arguments, applying an all-condition clause to ensure comprehensive coverage. The rule is designed to minimize false positives, which are considered unlikely, making it highly effective for identifying potentially harmful DLL execution attempts. Given the rising trends in malware tactics, particularly those leveraging legitimate system tools, this rule serves a critical role in enhancing endpoint security.