This detection rule identifies when system control panel items (CPL files) are loaded from uncommon or non-standard directories, likely indicating a potential sideloading attack. The primary focus is on the loading of specific control panel items, namely 'hdwwiz.cpl' and 'appwiz.cpl', which should typically reside in Windows system directories like System32, SysWOW64, or WinSxS. The rule checks for events where the image loaded ends with these CPL extensions but filters out legitimate instances occurring from the aforementioned system directories. By monitoring such activities, security professionals can better detect possible abuse or misuse of control panel items that may indicate an evasion tactic by threat actors attempting to masquerade malicious actions under legitimate operations.