This detection rule aims to identify potential DLL side-loading attacks that target the Wazuh security platform by monitoring specific DLL file loading events. DLL sideloading is a common technique used by attackers to execute malicious code by abusing legitimate DLLs within the system. The rule focuses on two DLLs associated with Wazuh: 'libwazuhshared.dll' and 'libwinpthread-1.dll'. It checks if these DLL files are loaded into memory, which must not occur from certain paths including 'C:\Program Files\' or 'C:\Program Files (x86)\', as well as specific paths under 'C:\AppData\Local\' or 'C:\ProgramData\'. The conditions are set such that if the selected DLLs are not loaded from the expected locations (main and optional filters), it triggers an alert. False positives may arise from benign applications that also use these DLLs, such as Visual Studio and others, which necessitates careful interpretation of alerts.