The detection rule targets the suspicious usage of the `rundll32.exe` command line, a technique linked to the IcedID malware which is often involved in executing DLLs that carry harmful payloads. The rule examines command lines that contain specific patterns, like `*/i:*`, indicating an attempt to load an encrypted DLL, typically named `license.dat`. This detection is powered by data from Endpoint Detection and Response (EDR) solutions such as Sysmon and Windows Event Logs, highlighting crucial command-line executions that could suggest malware activity. If this behavior is detected, it may lead to arbitrary code execution, posing significant risks for system integrity and data security. The implementation requires configured EDR logs feeding into a centralized log management system to ensure all relevant process execution details are captured and analyzed. The rule has been designed to minimize false positives, recognizing that while the parameter is largely uncommon in regular applications, it can potentially be utilized in a legitimate capacity by network operators.