This detection rule captures instances where executable files (.exe) are loaded as modules via Sysmon EventID 7, which specifically logs 'ImageLoaded' events. This behavior is atypical since modules are generally expected to be .dll files. Such activity can potentially signify malicious actions, particularly by malware like NjRAT, which employs this technique for executing arbitrary code, ensuring persistence, and compromising systems. Monitoring these events is vital in the SOC environment to preemptively identify threats and mitigate risks associated with unauthorized module loading. By tracking and analyzing this data, organizations can enhance their security posture against threats exploiting module loading characteristics.