This detection rule identifies the execution of DLLs by the rundll32.exe process through the loading of DLL export functions by ordinal values. Adversaries exploit rundll32.exe to run malicious code while potentially avoiding detection by traditional security tools. This analytic utilizes data collected from Endpoint Detection and Response (EDR) systems, focusing on command-line arguments associated with process executions. The detection logic examines Sysmon and Windows Event Logs, identifying command lines that match the irregular loading pattern where a DLL is invoked by its ordinal number. Given its stealthy nature, malicious usage of rundll32.exe can compromise systems and escalate privileges, marking this detection as critical for security operations.