This detection rule targets the unauthorized loading of sensitive Windows DLLs, specifically credui.dll and wincredui.dll, which are often manipulated by malicious actors to execute credential theft maneuvers. These DLLs can initiate fraudulent credential prompts or directly extract user credentials from the system, which may facilitate unauthorized access and lateral movement across networks. The rule utilizes data collected from Sysmon EventCode 7, which logs file creation events, to observe if these modules are being loaded outside their standard directories. By analyzing the ImageLoaded field, the rule can catch instances where these DLLs are loaded by non-standard processes not associated with system or trusted applications. Detecting this behavior can provide critical insights into possible credential theft activities and assist in mitigating security risks.