legitimate usage of the script. always investigate what's being registered to confirm if it's benign

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml>sigma
technicques: t1218

Techniques

Detects the use of a Microsoft signed script ‘REGISTER_APP.VBS’ to register a VSS/VDS Provider as a COM+ application.

condition: selection
selection:
  CommandLine|contains|all:
  - \register_app.vbs
  - -register