This detection rule focuses on identifying potentially malicious use of the rundll32.exe process on Windows systems, specifically when it is invoked with system files (i.e., .sys files) in the command line arguments. The rule targets scenarios resembling the behavior of malware associated with the UNC2452 threat group, known for exploiting legitimate processes to execute malicious payloads stealthily. The key indicators for triggering this rule include command line inputs that directly reference 'rundll32.exe' in conjunction with file types associated with system drivers (specifically .sys files). The detection requires both conditions to be met, thereby reducing the likelihood of false positives. Given the complexity of modern attacks that leverage legitimate Windows binaries for malicious purposes, this rule serves as an essential layer of defense in identifying evasive tactics used by threat actors to maintain stealth during exploitation attempts.