This detection rule identifies instances where the Windows system utility, "rundll32.exe", is used as a parent process in potentially malicious activity. Adversaries exploit rundll32.exe to execute malicious code, often to circumvent security tools configured to monitor for more conventional execution paths. The use of rundll32.exe in such scenarios may not trigger alerts from standard security tools due to allowlisting or high false-positive rates for benign operations. This behavior is particularly associated with various threat actors known for employing sophisticated tactics to execute payloads without detection, such as MuddyWater, TA505, and Wizard Spider. Furthermore, this rule is tied to multiple software types associated with malware families such as Bazar, Clop, Conti, Quantum, Rhysida, and Trickbot. By monitoring the creation of processes via rundll32.exe, organizations can better detect and mitigate threats leveraging this binary for evasive maneuvers.