This detection rule is designed to identify potential DLL sideloading attacks specifically targeting Python dynamic link libraries (DLLs) in Windows environments. Sideloading refers to the process of loading various types of dynamic libraries into an application that have not been explicitly installed or are not properly validated. The rule focuses on DLL files associated with Python versions 3.9 to 3.12. To trigger an alert, the rule monitors for instances where Python DLL files are loaded from paths that do not comply with the expected installation paths defined for legitimate Python installations. This includes paths typical for user-installed software or applications that might leverage Python for their functionality. The rule incorporates several filtering conditions that help in reducing false positives, such as legitimate instances of software that accurately utilizes the Python DLLs. By restricting the detection to scenarios where the library is loaded outside of known good locations and signatures, the rule helps ensure reliability and accuracy in identifying potential malicious activity related to unauthorized DLL interaction within an application context.