Detects Windows rundll32 execution with a command line argument containing log.dll, a pattern used by the Lotus Blossom Chrysalis backdoor. The rule flags processes where rundll32 invokes a DLL loaded from log.dll, typically located in %AppData%\Bluetooth, to decrypt and execute shellcode. It relies on signals from Sysmon EventID 1, Windows Security 4688 process creation events, and CrowdStrike ProcessRollup2 to establish process lineage and capture key fields such as destination host, user, and involved processes. The Splunk SPL searches the Endpoint.Processes data model for a rundll32 invocation whose process field contains log.dll, and aggregates context like destination, user, parent process, and process details. This aligns with DLL side-loading techniques (MITRE ATT&CK T1574.002) observed in the Lotus Blossom Chrysalis campaign. Ingestion guidance notes map process creation logs to the Endpoint.Processes CIM data model and ensure command-line arguments are captured so log.dll appears in the process field; recommended tooling includes the Splunk Add-on for Microsoft Sysmon and CIM. Known false positives include legitimate rundll32 usage to load log.dll from trusted locations, and DLL side-loading activity involving Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe); mitigations include allowlisting known paths or parent processes. References cite MITRE techniques, analyses of Lotus Blossom Chrysalis, and related threat groups. The rule reports the destination host and user as risk objects, with process_name and process as threat objects to aid rapid containment and investigation.