This detection rule identifies potentially malicious use of the Windows utility 'rundll32.exe', which allows for the execution of functions exported from DLLs. Attackers often exploit this utility to run malicious code without raising suspicions. The rule employs specific criteria in the command line arguments to detect suspicious behavior, focusing on functions and DLLs commonly associated with living-off-the-land binary (LOLBIN) attacks. By analyzing command line inputs for known patterns indicative of abusive DLL functionality, it effectively identifies possible misuse within the environment. The rule's configurations filter out legitimate administrative activity to reduce noise in alerts. Overall, this detection targets advanced threats using 'rundll32' to bypass defenses and maintain a low profile during operation.