This detection rule focuses on identifying the execution of uncommon functions from DLLs, particularly when invoked via `rundll32.exe`. While DLLs are essential in Windows operations, their use in unexpected contexts can often indicate malicious activities, such as those exploited by threat actors like Qbot. The rule utilizes event tracking through PowerShell logs, specifically monitoring EventCode 4104, which relates to PowerShell script block logging. The logic filters out specific function calls commonly associated with malicious behavior, such as `VirtualAllocEx`, `CreateRemoteThread`, and several others. An additional regex extraction allows for identifying the specific functions being called from the DLLs and highlights any anomalies that could warrant further investigation. The detection is crucial in monitoring potential Living Off the Land (LOL) binaries, as attackers might rename `rundll32.exe` to evade detection. Therefore, any unexpected executions, despite being potentially legitimate, should trigger scrutiny to ensure they are not part of a malicious attack vector.