This rule is designed to detect unusual outbound network connections initiated by rundll32.exe, a component commonly exploited for Command and Control (C2) activities by attackers. The rule operates by observing processes that invoke rundll32.exe without any arguments, which is atypical behavior as rundll32 is primarily intended to run DLL files with specified parameters. The presence of such connections can indicate that malicious activity is taking place, as legitimate operations typically involve arguments when using rundll32.exe. The rule leverages a sequence query that tracks the execution of rundll32.exe and correlates it with network connections, filtering out private and reserved IP ranges to focus on potentially hostile external addresses. Investigation steps suggest analyzing the process tree, reviewing associations and alerts linked to the user or host, assessing the reputation of the target address, and ensuring that the execution pattern of rundll32.exe adheres to organizational norms. Moreover, a comprehensive incident response protocol is recommended should any suspicious behavior be confirmed, emphasizing isolation, credential security, and malware scanning to mitigate risk and prevent further exploitation.