This detection rule identifies the execution of the 'rundll32.exe' process with the 'plugininit' parameter, which is often associated with IcedID malware activity. IcedID uses this parameter to perform initial DLL staging for downloading further payloads. The analytic utilizes data collected from Endpoint Detection and Response (EDR) systems, focusing primarily on process creation events and command-line arguments. The detection rule captures relevant telemetry, allowing for proactive incident response against potential malware infections, data exfiltration risks, and broader system compromises. The rule also accommodates for known false positives, including instances where third-party applications may inadvertently use the 'plugininit' DLL export name in their operations. Implementing this detection requires accurate log ingestion from EDR solutions referencing process details, with data normalized through Splunk's Common Information Model (CIM).