This detection rule identifies potentially malicious behavior involving the Windows `rundll32.exe` process, specifically when it is used to call the `user32.dll` function responsible for locking the user’s workstation. The rule scrutinizes instances where `rundll32.exe` is executed with a parent process of `cmd.exe` and a command line containing 'user32.dll,' alongside the function 'LockWorkStation'. If all specified conditions are met, it flags this activity as suspicious. This pattern of behavior is often exploited in attack vectors to evade security mechanisms and gain unauthorized access to user sessions. The rule may produce false positives if legitimate scripts or shortcuts that engage the lock workstation function are used, instead of the standard Windows lock option. The potential for misuse of such functionalities underscores the importance of monitoring process executions that involve `rundll32.exe` in conjunction with user session management functions.