This detection rule is designed to identify suspicious executions of the rundll32.exe process, which is frequently misused by threat actors, notably those associated with the Gamarue malware family (also known as Andromeda or Wauchos). Cybercriminals exploit rundll32 as a way to execute DLLs covertly through command line with non-standard or unusual naming conventions. The provided logic utilizes Splunk queries to filter event logs for instances of EventID 4104, which indicates PowerShell script block logging, alongside monitoring for any rundll32 invocations that match certain regex patterns suggestive of this abuse. By analyzing specific attributes of the associated process—such as the parent process and user account—this detection rule aims to uncover potential living off the land (LOTL) tactics employed by attackers, allowing defenders to respond proactively to such malicious activities.