This detection rule identifies potentially malicious uses of the rundll32.exe process by monitoring its parent processes. rundll32.exe is often used by attackers as a Living Off the Land Binary (LOLBAS), which means it can be exploited to execute malicious code while appearing legitimate. Legitimate parent processes for rundll32.exe include system processes such as svchost.exe, explorer.exe, and spoolsv.exe. This rule flags executions of rundll32.exe that are initiated by non-standard parent processes that are commonly abused by threat actors, such as winword.exe, excel.exe, and powershell.exe. By leveraging Windows event logs that track process creation (EventCode 4688), the rule applies regex patterns to filter out entries where rundll32.exe is launched from potentially suspicious parent processes. It also excludes cases where Internet Explorer is used for a specific action, indicating benign activity. The output includes comprehensive details about each detected execution such as timestamps, hostnames, users, processes, and parent processes, allowing for thorough investigations into potentially malicious activity.