This detection rule aims to identify potential attempts to coerce local NTLM authentication via HTTP through the Windows Printer Spooler service. The rule targets behaviors associated with `rundll32.exe` processes combining WebDAV client DLLs, specifically looking for command-line arguments indicative of access attempts to named pipes over HTTP. These are often exploited in NTLM relay attacks to elevate privileges on a compromised Windows system. By focusing on specific argument patterns, such as `DavSetCookie`, and network interactions with pipes related to printing and sharing services, the rule enhances the detection of malicious activity related to credential access and defense evasion. It is crucial for organizations to investigate alerts generated by this rule thoroughly, as legitimate processes may also trigger false positives, necessitating contextual examination to confirm their malicious nature.