The detection rule titled 'rundll32.exe Executing DLL from Non-standard Directory' aims to identify potentially malicious behavior associated with the use of 'rundll32.exe', a legitimate Windows utility that executes functions stored in Dynamic Link Libraries (DLLs). Due to its trusted nature, 'rundll32.exe' is frequently targeted by threat actors, especially those utilizing malware like Qbot, which have been known to drop DLLs in writable directories. This rule specifically detects instances where 'rundll32.exe' executes a DLL located in a nonstandard directory, indicating possible exploitation of the utility for malicious purposes. The logic is implemented in Splunk and utilizes Windows event logs to filter for event codes related to process creation. It checks for the presence of 'rundll32.exe' in the command line and performs regex checks to ascertain if the executed DLL is outside the permissible directories (System32, WinSxS, etc.). The output tables the relevant timestamps, host information, user details, and process hierarchies, enabling security analysts to investigate potential intrusions or malware activity more effectively.