This detection rule identifies instances of "rundll32.exe" executed with inline protocol handlers such as "JavaScript", "VBScript", or "About". These activities are monitored through telemetry data from Endpoint Detection and Response (EDR) systems, primarily focusing on command-line arguments. The execution of "rundll32.exe" in this manner is often linked to fileless malware techniques or methods to bypass application whitelisting protections. If verified as malicious, this activity could enable an attacker to execute arbitrary code, circumvent security measures, and establish persistence in the targeted environment. EDR logs, specifically Sysmon EventID 1 and Windows Event Log Security 4688, are analyzed to flag such unusual behavior. The implementation requires appropriate log ingestion and normalization to facilitate effective monitoring and response to potential threats.