This rule detects potentially suspicious behavior regarding the execution of rundll32.exe by svchost.exe, particularly when it involves WebDav protocols. The detection focuses on command arguments that indicate the use of davclnt.dll, specifically the function DavSetCookie. Successful exploitation of this joining process could indicate exfiltration attempts via WebDav or exploitation of known vulnerabilities such as CVE-2023-23397, which affects Microsoft Outlook. Through specific filtering against local IP addresses, the rule aims to minimize false positives, ensuring alerts are more targeted and relevant. Given the high-risk level associated with such behaviors, this rule helps in identifying potential threat actors attempting to leverage legitimate Windows processes for malicious purposes, especially in corporate environments where WebDav may be used legitimately. The rule employs a regex pattern to catch connections to external IPs, further refining the detection of anomalous activities.