This detection rule targets potential malicious activity involving RunDLL32, a legitimate Windows utility often exploited to execute unauthorized processes. It identifies unusual child processes spawned by RunDLL32 instances with suspicious command line parameters. The rule operates over a 60-minute window, querying multiple data indices to find instances where RunDLL32 has initiated processes with a single argument, which is not typical for legitimate usage. The underlying logic marks such occurrences as significant, indicating a potential misuse of the utility for running malicious code. Investigators are provided with a comprehensive guidance on how to perform triage, including analyzing process trees, checking unsigned executables against VirusTotal, and monitoring abnormal network interactions. The rule's high severity rating and established threshold for alerting signify the potential risk associated with these activities, aligned with the MITRE ATT&CK framework's focus on defense evasion techniques.