This detection rule is designed to identify unauthorized creation of Dynamic Link Library (DLL) files in the plugins directory of Notepad++ installations on Windows systems. The rule specifically flags actions where new DLL files are created by any process other than the Notepad++ updater (gup.exe), which could signify potential persistence mechanisms used by malicious actors. The detection works by monitoring file events within the Notepad++ plugins folder, capturing any attempts to introduce unintended DLL files that could facilitate malware persistence. The rule's conditions help differentiate between legitimate updates and potentially malicious installs, with careful consideration for false positives, especially during fresh installations or when users employ custom plugins for added functionality. The presence of user-specified paths and exclusions is integral to reducing alerts that could stem from benign user behavior. Overall, this detection mechanism aids in securing the Notepad++ environment from unwanted tampering and potential persistence threats.