Update Suspicious Spoolsv Child Process.md

Exploits/Print Spooler RCE/Suspicious Spoolsv Child Process.md

@@ -24,7 +24,8 @@ DeviceImageLoadEvents
 (FileName =~ "net.exe" and ProcessCommandLine !has "start") or 
 (FileName =~ "cmd.exe" and not(ProcessCommandLine has_any(".spl", "route add", "program files"))) or 
 (FileName =~ "netsh.exe" and not(ProcessCommandLine has_any("add portopening", "rule name")))) or
-(FileName =~ "powershell.exe" and ProcessCommandLine!has ".spl")
+(FileName =~ "powershell.exe" and ProcessCommandLine!has ".spl") or
+(FileName =~ "rundll32.exe" and ProcessCommandLine != "" and ProcessCommandLine !contains " ")
 ```
 ## Category
 This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.