This analytic detection rule monitors for instances where the process rundll32.exe creates a remote thread in another executable. It is based on Sysmon EventCode 8, capturing relevant data from SourceImage and TargetImage fields. This behavior is commonly associated with malicious activities, particularly with malware like IcedID, which leverages this technique to run harmful code within legitimate processes to evade defenses and exfiltrate data. If identified as malicious, this could lead to arbitrary code execution, privilege escalation, and the theft of sensitive information from infected systems. Effective implementation requires capturing and analyzing Sysmon logs that pertain to remote thread creation activities.