This rule detects the initiation of command shell activities via the RunDLL32 application in Windows environments, which is often exploited by attackers to execute malicious code while evading security controls. The rule is designed to identify instances where cmd.exe or PowerShell are launched as processes with RunDLL32 as the parent process, specifically monitoring the command line arguments to filter out known legitimate uses. Given the benign nature of some runs, particularly by installation scripts, the rule includes provisions to mitigate false positives by excluding common benign command line arguments. The investigation guide provided outlines steps for validating alerts and responding to incidents, including isolating affected systems, terminating suspicious processes, and conducting thorough scans. Additionally, there are references to relevant MITRE ATT&CK techniques that align with the behaviors being monitored. This ensures that personnel can understand the broader operational context of the rule and take the necessary steps for effective incident response.