This detection rule is designed to identify malicious interactions with dynamic link libraries (DLLs) executed by uncommon processes, particularly in relation to the Ursnif malware. It specifically targets instances where DLL functions such as DllRegisterServer, DllMain, DllUnregisterServer, DllInstall, or DllCanUnloadNow are invoked by processes that are not the legitimate rundll32.exe binary. The detection leverages Windows Sysmon event data, particularly focusing on Event Code 1 which indicates process creation. By extracting relevant process names and filtering out legitimate rundll32.exe executions, this rule aims to catch potential nefarious activities commonly associated with malware using renamed or disguised rundll32 binaries. This method is a form of Living Off the Land Binaries and Scripts (LOLBAS) technique, where attackers exploit existing system binaries to carry out their attacks without initially raising alarms.