This detection rule identifies instances of 'rundll32.exe' being executed without a specified Dynamic Link Library (DLL) file in the command line. Given that 'rundll32' is a legitimate utility often exploited by threat actors to execute malicious payloads, this rule serves to flag potential misuse. The logic for the detection is structured to capture events where 'rundll32.exe' is invoked without any corresponding '.dll' specified, effectively identifying suspicious command executions. Notably, the rule has been configured to filter out expected and benign false positives, particularly those arising from the 'iexplore.exe' parent process to enhance accuracy. Events are gathered from Windows event logs using the EventCode 4688 which logs process creation, and additional parameters refine the context. By listing and summarizing attributes such as timestamp, host, user, and process details, this detection aims to provide a comprehensive view of any triggered events that fit the criteria specified. This approach aligns with Living Off the Land Binary and Scripts (LOLBAS) methodologies, focusing on monitoring legitimate system binaries potentially used maliciously. Therefore, this rule is critical for identifying a common technique employed for defense evasion in cyber attacks.