This detection rule identifies instances where Windows utilities load unsigned or untrusted Dynamic Link Libraries (DLLs). Such behavior is often exploited by adversaries to execute malicious code through trusted system processes, a tactic utilized for evading security measures and maintaining persistence. The rule specifically monitors for certain Windows utilities known for their ability to load DLLs, such as `InstallUtil.exe`, `RegAsm.exe`, `RegSvcs.exe`, `regsvr32.exe`, and `rundll32.exe`. The detection logic applies filters to confirm that the DLLs being loaded are either unsigned or have problematic signature statuses, thereby indicating potential malicious activity. Given the nature of the threat, the rule is marked with a medium severity level, emphasizing a need for investigation but not categorizing it as a critical incident. This approach aligns with best practices in threat hunting, allowing security teams to proactively address potential exploitation tactics.