This detection rule aims to identify potential DLL sideloading linked to the 'roboform.dll', which is significantly associated with the RoboForm Password Manager. The detection works by monitoring image load events specifically looking for the loading of the DLL files named 'roboform.dll' and 'roboform-x64.dll'. The rule incorporates a specific selection criterion that checks if the loaded image ends with either of these DLL names. In addition, it applies filtering to ensure that these DLLs are not loaded from the primary executable paths for RoboForm, namely 'robotaskbaricon.exe' or 'robotaskbaricon-x64.exe' located within 'C:\Program Files\Siber Systems\AI RoboForm\'. The detection will trigger an alert if both the selection criterion is met and the image did not originate from the designated folder paths, mitigating false positive scenarios from legitimate use cases. Furthermore, the rule considers false positives that may occur if the installation exists at a user level and suggests adding additional filters to account for installations found within 'AppData\Local'. This detection rule is part of a broader monitoring strategy aimed at combating DLL sideloading attacks, which can lead to privilege escalation and other security implications.