Analyzes Windows rundll32.exe activity to detect loading of non-standard Windows module extensions, a technique commonly used to hide malicious DLL loading and bypass some security tooling. The rule targets rundll32.exe spawning with command lines that reference non-standard module extensions, leveraging Sysmon (Event ID 1), Windows Security events (4688), and CrowdStrike ProcessRollup telemetry to correlate process lineage, parent processes, and full command lines. The SPL logic parses the process command line to extract the base executable and arguments, derives the root and subdirectories, and computes the number of folders in the path. It then flags executions where the path depth is three (excluding common Windows directories) or where the path resides under unusual locations such as ProgramData, Users\Public, or AppData folders. The detection also filters out legitimate system DLLs and common Windows components by excluding known DLL/driver/inf/mui/ocx extensions, reducing false positives. When a suspect run is identified, the rule maps the event to a risk statement indicating that a parent process launched rundll32 to load a non-standard DLL extension in the host, enabling responders to investigate precursor activity and surrounding context (parent process, file path, and user). This analytic aligns with living-off-the-land techniques and Gh0st RAT indicators, providing targeted visibility into suspicious rundll32 usage while leveraging established endpoint telemetry to minimize noise.