This analytic rule detects a potential application control bypass involving the execution of the rundll32.exe utility that loads either the setupapi.dll or iesetupapi.dll using the LaunchINFSection function. This behavior is highlighted through EDR telemetry focusing on critical process creation events along with their respective command-line arguments. Such activity could indicate that an attacker is exploiting Windows functionalities to execute arbitrary code, potentially leading to code execution, privilege escalation, or creating persistent threats within a compromised environment. The identification of this threat leverages event logs from Sysmon and Windows Event Logs, enhancing the overall endpoint security posture by alerting on this specific misuse of legitimate Windows system files.