This detection rule identifies suspicious process activity related to the loading of COM objects from specific DLLs: wbemprox.dll, fastprox.dll, and wbemcomn.dll. It utilizes Sysmon Event Code 7 to log events wherein these DLLs are loaded by processes that are typically not associated with them. Notably, the rule filters out legitimate processes and well-known directories to minimize false positives. The analysis of this activity is crucial since the loading of COM objects in unusual contexts may indicate an attempt by attackers to leverage these objects for privilege escalation or to evade detection mechanisms, potentially leading to unauthorized access or persistence in a vulnerable environment.