This rule detects potential DLL sideloading of vcruntime140.dll by monitoring Windows image-load events. It targets scenarios where a process loads vcruntime140.dll (a common Microsoft C Runtime Library) from an unexpected location, which threat actors often leverage to run malicious payloads under the guise of legitimate applications. The detection looks for image loads ending with \\vcruntime140.dll and then excludes loads that originate in known legitimate directories (such as C:\Windows\System32, C:\Windows\SysWOW64, C:\Program Files, or C:\Program Files (x86)) or that are signed by Microsoft with a valid C Runtime Library signature. The rule fires when a vcruntime140.dll load occurs and does not satisfy any of the legitimate-path or valid-signer filters, indicating a potential sideload attempt or tampering (as seen in campaigns like WinELOADER used by APT29). This helps identify attempts to bypass application controls by substituting a malicious DLL under the name of a trusted runtime library. The rule is labeled high severity and is focused on Windows image-load events, aligning with Windows defense-evasion and persistence techniques. Known false positives are not well characterized, hence the current placeholder “Unknown.” References include published analyses of WinELOADER and related DLL-sideload techniques.