This detection rule identifies the execution of rundll32.exe without any command line arguments, which can indicate suspicious behavior and potential malware activity, such as that performed by Cobalt Strike. The analytics leverage various telemetry sources from Endpoint Detection and Response (EDR) systems to analyze process execution logs. Rundll32.exe is a legitimate Windows utility known for executing DLLs, typically requiring command line parameters to perform its functions correctly. An execution devoid of arguments is abnormal and may suggest attempts at executing arbitrary code, leading to activities like credential dumping or unauthorized file manipulation. The rule employs a Splunk query that filters and extracts relevant process information based on this behavior. Implementation necessitates proper ingestion of endpoint logs and mapping them to the Splunk Common Information Model (CIM) for effective detection capabilities. The rule is robust but may generate false positives in very rare cases where legitimate applications invoke rundll32 in a non-standard way.