Description of the query:
Look for executions of rundll32.exe with its expected CLI args (a path to a DLL)
Query:
-6h | plat==windows | NEW_PROCESS EXISTING_PROCESS | event/FILE_PATH contains "rundll32.exe" AND event/COMMAND_LINE not contains ".dll" | ts as Timestamp event/FILE_PATH as Path event/COMMAND_LINE as CommandLine