The detection rule for Windows Unsigned MS DLL Side-Loading is designed to identify potential instances of DLL side-loading activities involving unsigned dynamic-link libraries that impersonate Microsoft signatures. This analytic runs against Sysmon logs specifically looking for Event Code 7, which indicates the loading of a DLL. The key detection criteria include verifying that both the 'Image' and 'ImageLoaded' paths do not belong to trusted directories such as 'system32', 'syswow64', or 'program files'. The rule focuses particularly on DLLs like 'vcruntime140.dll' being loaded by processes like 'SQLDumper.exe' or 'SQLWriter.exe'. This detection is crucial, as malicious actors frequently exploit DLL side-loading to execute their malicious payloads under the guise of legitimate processes. If such instances are confirmed malicious, they can lead to significant security risks including privilege escalation and the exfiltration of sensitive data.