This detection rule identifies potentially malicious executions of the Rundll32 process, specifically targeting command lines that invoke `user32.dll,UpdatePerUserSystemParameters`. This is particularly significant as it allows attackers to manipulate system settings such as desktop backgrounds and themes, often as a stealthy method to disguise their actions or establish persistent backdoors. The rule uses data from Sysmon EventID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2, highlighting how critical logs from EDR solutions can be for endpoint security. Given that such uses of Rundll32 command lines are not common in legitimate activity, the detection aims to differentiate between benign and suspicious behavior. The analytic has been associated with the Rhysida Ransomware group, known for employing this technique for defense evasion, enhancing the necessity for vigilance in monitoring such usage across the environment.