This detection rule identifies suspicious execution of rundll32.exe initiated from control.exe, a behavior that has been associated with the activities of the Equation Group and various exploit kits. The focus of the rule is to detect a specific command line pattern that indicates potential misuse of the Windows Control Panel via malicious DLL loading. The detection structure employs a selection mechanism that checks the parent process's image path for control.exe and the child process's image for rundll32.exe. Additionally, it filters the command line for 'Shell32.dll' to ascertain that the right context is being violated. This rule can be instrumental in enhancing security monitoring and incident response by providing alerts on potentially malicious behaviors that exploit legitimate Windows functionalities.