This detection rule is designed to identify image load events that utilize revoked certificates, as monitored by the Windows Code Integrity feature. Code Integrity is a critical security mechanism in Windows systems that helps ensure the authenticity and integrity of software running on the operating system. By analyzing specific Event IDs tied to the loading of images—3032 and 3035—this rule aims to flag potentially malicious activity where unauthorized or untrusted software could be executing on the system due to revoked certificates. These events are significant as they can indicate attempts by attackers to bypass security controls and execute compromised or unapproved applications. As certificate management is crucial for maintaining system integrity, detecting these incidents can help organizations quickly respond to potentially severe security threats. Overall, this rule enhances the security posture by enabling proactive monitoring for events that could indicate privilege escalation activities.