This detection rule identifies instances of the Windows rundll32.exe process executing without any command-line arguments, which is an atypical behavior for this executable. Normally, rundll32.exe requires arguments to specify which functions to call from a dynamic link library (DLL). Consequently, a rundll32.exe execution without arguments followed by network activity is suspicious and may indicate malicious actions, such as those commonly associated with Cobalt Strike or other forms of unauthorized access. The detection relies on Endpoint Detection and Response (EDR) telemetry combined with network traffic logs, enabling security teams to proactively defend against potential data breaches or system compromises. By correlating process execution and network connection information, analysts can quickly investigate and respond to this behavior, mitigating risks of data exfiltration or further attacks.