This detection rule identifies instances where 'rundll32.exe' is executed as a child process of 'explorer.exe'. This behavior has been notably associated with the Raspberry Robin malware, which leverages 'rundll32.exe' to execute malicious payloads in a stealthy manner. The rule specifically looks for process creations where the expected parent is 'explorer.exe', a common starting point for many legitimate processes in Windows. Both the image name of the executable and various attributes of its command line are scrutinized. The rule's conditions are designed to reduce false positives by ensuring that all specified criteria are met while excluding certain generic command lines not relevant to the threat. Its detection capabilities are critical for incident responders looking to identify possible instances of exploitation or malicious activity using 'rundll32.exe'. Reports indicate that attackers using this method do so to evade standard security measures, operating under the guise of a legitimate Windows process, thus highlighting the importance of stringent monitoring for this executable.