Detects Windows Sysmon EventID 7 ImageLoaded events where the loaded image path points to a remote share (\\\\*). Remote image loading can enable execution, defense evasion, or lateral movement, as code is loaded into a local process from attacker-controlled infrastructure. The rule correlates fields such as Computer, ImageLoaded, EventID, and process details (process_exec, process_guid, process_id, process_name, process_path) with loaded_file/loaded_file_path and DLL signature indicators. It requires endpoint telemetry with full command lines and process lineage, aligned to the CIM Endpoint data model for normalization. The search aggregates first/last times for each host-image combination and supports drill-down to view specific detections and risk context. Implementation relies on ingesting EDR logs mapped to the Processes node, normalizing fields, and using Splunk CIM to speed data modeling. The detection can be tuned with approved-application filters to reduce false positives and should be evaluated against legitimate remote imaging tools or software updates.