This detection rule identifies the loading of diagnosis capability packages (diagcab files) from remote paths on Windows systems. This specific behavior is associated with the DogWalk vulnerability, which exploits the potential to execute arbitrary code from remote sources through crafted diagcab files. The rule is set to trigger on the occurrence of Event ID 101 when the package path indicates a UNC (Universal Naming Convention) path (i.e., contains '\\'). The capability to load such packages from unauthorized sources can signify a significant security threat, potentially leading to code execution attacks. Care must be taken to monitor the execution of diagcab packages and validate their sources to prevent exploitation. False positives may arise if the detected activity involves legitimate diagcab packages hosted in authorized remote locations. This rule is categorized as a high-level detection due to the potential severity of the associated exploits. The author of this rule is Nasreddine Bencherchali from Nextron Systems, and it was published on August 14, 2022.