This detection rule is designed to identify suspicious invocations of the 'rundll32.exe' process that execute inline VBScript commands—a technique associated with the UNC2452 threat actors, known for their sophisticated cyber operations. The rule analyzes the command line used for process creation, specifically looking for instances where the command line contains keywords typical for executing VBScript, such as 'Execute', 'RegRead', and 'window.close'. The presence of these keywords alongside 'rundll32.exe' suggests potential misuse of this legitimate process to run malicious scripts, which is a common evasion technique. The rule's context stems from an analysis of the Nobelium malware, which undertook similar tactics to conduct reconnaissance and data exfiltration. Due to the nature of this detection, false positives are acknowledged but deemed as 'Unknown', which indicates a need for careful investigation of flagged instances to determine their legitimacy.