This detection rule identifies instances of unsigned Dynamic Link Libraries (DLLs) that are loaded by the Windows DNS Server process (`dns.exe`). The unauthorized loading of unsigned DLLs can indicate privilege escalation attempts and potential remote code execution vulnerabilities. The rule leverages EQL to filter events based on the `process.executable` path to `dns.exe`, monitoring for changes in the library or process event categories. The rule signals alerts when DLLs without valid code signatures are loaded, which suggests tampering or malicious activity. This is significant due to the critical role of DNS in network functionality, where adversaries could exploit the service by leveraging untrusted DLLs to gain elevated privileges. The risk score is noted as medium, reflecting a potential impact while also being contingent on the operational context of the environment.