This rule is designed to detect the addition of new Dynamic-Link Libraries (DLLs) to the AppCertDlls registry key on Windows systems. Malicious actors may exploit this mechanism to achieve persistence and escalate privileges by leveraging malicious DLLs that are loaded within the context of other processes. The detection leverages Windows registry event logs, specifically monitoring modifications made to the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls registry path. When a new entry (DLL) is created within this registry key, it generates a specific event that is logged. This rule helps security teams identify potential misuse of the AppCertDlls functionality for persistent attacks or privilege escalation tactics, and corresponds to the ATT&CK technique T1546.009.