This detection rule is designed to identify instances where the Windows `rundll32.exe` process is making external network connections to public IP addresses. The rationale behind this detection is based on the common use of `rundll32.exe` for executing DLLs, which, in a malicious context, can be exploited to evade security solutions, allowing for covert communication with external servers. The rule sets conditions to specify that it will trigger if there is a network connection initiated by `rundll32.exe`, excluding known private IP ranges and certain trusted applications and services, thereby reducing false positives from legitimate internal network traffic. The exclusion of common local ranges and safe parameters helps focus detection on potentially malicious activities, which is critical for incident response teams. The detection leverages an array of filters to refine the detection criteria and achieve a balance between sensitivity and specificity in real-world use cases.