This detection rule aims to identify potential exploitation of the CVE-2023-23397 vulnerability found in Microsoft Office Outlook, which may allow threat actors to execute a NTLM Relay attack disguised under the svchost process spawning rundll32 via the DavSetCookie function in davclnt.dll. The logic integrates endpoint data collection methods and scrutinizes specific event types such as child processes, network connections, and process events that facilitate detection of this behavior. By checking for key indicators like the presence of 'svchost.exe', 'rundll32', and DavSetCookie along with regex validation on the process names, alerting is triggered if any match is found. Recognized threat actor APT28 is associated with this technique, which emphasizes the need for quick detection and response to such privilege escalation attacks to mitigate risk. The detection operates primarily on EDR logs and process command-line parameters, applying analytical techniques against process injection and potential unencrypted exfiltration methods.