The 'Windows DLL Search Order Hijacking Hunt' is an experimental hunting analytic developed to detect potential DLL search order hijacking attacks on Windows systems. Leveraging the Sysmon TA 3.0, it maps module loads (ImageLoaded) to their corresponding process names. This analytic searches for known libraries that can be exploited for DLL hijacking, focusing on processes running from system directories like 'system32' and 'syswow64'. The analytic performs a lookup against a list of identified Microsoft native libraries provided by the Hijacklibs.net project. False positives may arise based on file paths, hence requiring adjustments to the exclusion list. As this analytic relies on telemetry from EDR agents and is based on specific Event IDs and structured query, it ensures comprehensive visibility into potential vulnerabilities associated with DLL handling on Windows.