This detection rule aims to identify instances where a Kerberos DLL is being loaded by various Microsoft Office applications, which may indicate potential malicious activity. Malicious actors may exploit Office applications to load unauthorized or malicious DLLs as part of their technique to gain unauthorized access or perform lateral movement within a network. By monitoring image load events specifically for Office applications like Excel, Word, and PowerPoint, alongside the detection of the kerberos.dll, this rule provides a means to catch possibly nefarious actions in real-time. The detection strategy utilizes the specific file names and extensions of the Office products to narrow down the pertinent image load events, increasing the specificity of the detection and reducing false positives. This rule highlights the increasing sophistication of attacks targeting trusted applications and emphasizes the need for organizations to monitor applications for anomalous behaviors.