This analytic rule focuses on detecting DLL search order hijacking or DLL sideloading in Windows environments by utilizing Sysmon EventCode 7, which logs details about loaded DLLs. The rule identifies DLLs that are loaded from non-standard directories that could potentially harbor malicious libraries intended to exploit DLL search order vulnerabilities. Known libraries that are susceptible to hijacking are cross-referenced using a lookup table to determine if the loaded file is among the identified hijackable libraries. If these conditions are met, the rule recognizes the event as a potential security threat. This type of attack is concerning as it could allow malicious actors to execute harmful code, escalate across privileges, or even establish persistence within the system. Implementing this rule helps in monitoring and protecting endpoints from such attack vectors.