This detection rule identifies instances of unsigned Dynamic Link Libraries (DLLs) being loaded via DLL side-loading at the same file path as the process executing the DLL. This technique has been linked to various malware strains, including DarkGate, which is known for using unsigned DLLs to evade detection and escalate privileges on compromised systems. The rule primarily leverages Sysmon logs, specifically Event ID 7, to monitor DLL loading activity across the system. It ensures that the loaded DLLs are checked for their digital signatures, alerting on any unsigned instances while ignoring common system paths that are unlikely to contain malicious files. By actively monitoring and flagging such suspicious activity, organizations can enhance their defenses against potential threats and mitigate risks associated with privilege escalation and exploitation of vulnerabilities. Regular audits and security best practices are crucial for maintaining a robust security posture against these types of attacks.