This detection rule targets the invocation of DLL functions through the Windows utility rundll32.exe, specifically monitoring for function calls to RS32. Threat actors, such as those behind the Qbot malware, have been identified using this method to execute malicious payloads post-compromise. The rule looks for instances where any DLL invokes the RS32 function, even when rundll32.exe has been renamed, thus capturing potentially malicious executions that may not be legitimate. The detection is designed to reduce false positives by allowing for investigation of unexpected executions while not flagging all uses of rundll32.exe as malicious. The implementation utilizes EDR logs to query for recent processes that match these criteria, providing defensive visibility into potentially evasive behavior by malware that leverages Living Off the Land Binaries and Scripts (LOLBAS). This approach emphasizes the need for organizations to closely monitor unusual binary executions that can indicate an escalation or compromise of their systems, prompting further investigation to contain and mitigate risks associated with unauthorized DLL executions.