This analytic detection rule monitors the addition of a Dynamic Link Library (DLL) to the Windows Global Assembly Cache (GAC) via PowerShell commands. By leveraging PowerShell Script Block Logging (specifically Event Code 4104), it focuses on identifying any scripts that invoke the method 'system.enterpriseservices.internal.publish', a significant action that suggests alterations to system-level DLLs. When a DLL is added to the GAC, it may enable malicious code to run across different applications, allowing for extensive privilege escalation, potential code execution vulnerabilities, and establishing persistent access on the operating system. The implications of this action are severe, necessitating prompt detection and response to mitigate risks associated with unauthorized changes to the GAC.