This detection rule focuses on identifying potential DLL sideloading attempts from suspicious directories in a Windows environment. DLL sideloading is a technique often exploited by attackers to execute malicious code by loading dynamic-link libraries (DLLs) from directories that would typically be considered safe, but in this case, are deemed suspicious. The rule uses specific known DLL names that are recognized as commonly abused and checks if they have been loaded from certain directories that are atypical or potentially insecure. It flags occurrences where DLLs like `coreclr.dll`, `facesdk.dll`, and others are loaded from directories such as `C:\Perflogs\`, `C:\Users\Public\`, or temporary folders. The condition for detection necessitates that at least one of the suspicious directory paths is matched along with the loading of an identified DLL. This mechanism reviews images loaded by applications, helping to proactively mitigate potential exploitation strategies that leverage DLL side-loading vulnerabilities.