This rule identifies suspicious activities involving the creation, modification, or deletion of Dynamic Link Library (DLL) modules within a Windows Side-by-Side (SxS) local folder, which is a legitimate feature of Windows that can be exploited by adversaries. Attackers may take advantage of SxS to control how Windows loads shared modules, allowing them to execute malicious payloads. By placing a malicious DLL in the same directory as an executable application (using the .exe.local naming convention), attackers can alter the module loading order, resulting in the execution of their payloads. This rule employs EQL (Event Query Language) to detect instances of .dll files within paths structured as 'C:\*\*.exe.local\*.dll', specific to Windows operating systems. The response time is configured to capture events going back nine months. This detection rule has a medium risk score of 47, and it is crucial for threat detection frameworks targeting endpoint protection across various data sources, including Elastic Endgame, Sysmon, and Microsoft Defender.