Identifies suspicious DLL loads that masquerade as Windows System32 libraries by name but originate from non-system paths, are unsigned or signed with non-Microsoft certificates, and were recently created or modified. This signals potential DLL Search Order Hijacking, DLL planting, or backdooring/resigning of legitimate system DLLs. The rule analyzes endpoint library load events from the Elastic endpoint library data stream, applying a broad set of allow/exception rules to reduce false positives while flagging high-risk scenarios (e.g., non-trusted signatures, unusual dll.path locations, or unsigned binaries). It emphasizes correlating with process context (process.name and parent chain), checking digital signatures, and validating file creation/modification times. When matches occur, responders should investigate the DLL path, signature, and the loading process, verify against known-good publishers, and consider containment and remediation steps if malicious activity is confirmed. The rule’s logic and referenced exceptions are designed to distinguish legitimate software from masquerading binaries, while covering common persistence and defense-evasion patterns associated with DLL hijacking and related tactics.