The rule detects instances where the Windows Disk Cleanup utility (CleanMgr.exe) has spawned the rundll32.exe process, which may indicate an attempt to execute malicious code through COM hijacking techniques. COM hijacking enables adversaries to run arbitrary commands under the guise of trusted system processes, thereby maintaining persistence on the compromised system. This rule specifically filters logs to identify when CleanMgr.exe initiates rundll32.exe, as these instances could suggest an abuse of the legitimate utility for malicious purposes. By using the Splunk query provided, the detection looks for relevant processes across the host systems, allowing security teams to quickly investigate and respond to potential breaches involving persistence mechanisms.