This detection rule focuses on identifying executions of the `rundll32.exe` process where the dynamically linked library (DLL) being executed is stored in an Alternate Data Stream (ADS). The technique can be used by attackers to obscure malicious payloads, allowing them to run code without clear visibility in traditional file structures, thus enhancing their evasion strategies. The rule applies to processes created in the Windows environment, particularly by analyzing command lines of the running processes. The detection leverages characteristics of `rundll32.exe`, including specific file signatures and command line patterns that are known to indicate use of ADS for DLLs. The rule's execution condition is satisfied when both the image name and command line of the executed process match the criteria defined in the selection sets. False positives are categorized as 'Unknown', suggesting that additional context may be needed to clarify uncommon or legitimate uses of the technique. This rule is crucial in detecting potential tactics employed by threat actors, particularly in scenarios where malicious code is executed stealthily.