This detection rule identifies potential DLL side-loading attacks on Windows systems where a trusted process attempts to load a DLL from paths that are often abused by malicious actors. The rule triggers when a process that is code-signed and trusted loads a DLL that has been recently modified or created from suspicious folders. Such behavior might indicate that an adversary is using a trusted application to execute malicious code, thereby evading security measures. The detection logic checks for specific conditions such as the trustworthiness of the process, the creation or modification times of the DLL, and the nature of the paths from which the DLLs are being loaded. The various paths include known directories typically targeted for this type of attack, like User, Windows, and Common directories, among others. Investigations following an alert involve reviewing process signatures, analyzing DLL paths, and confirming the legitimacy of the software involved.