This rule is designed to detect instances where an unsigned image is loaded in a Windows environment, specifically through the Code Integrity feature of Windows. By monitoring Event ID 3037, which is logged when an attempt is made to load an unsigned image, the rule flags potential unauthorized code execution that may relate to privilege escalation attacks. Such images might include executables and dynamic link libraries (DLLs) that have not been verified by trusted certificates, thus increasing the risk of malicious activity. The detection mechanism is straightforward, employing a selection filter to trigger alerts upon the relevant event's occurrence. Given the critical nature of protecting endpoint integrity, this rule is categorized with a high severity level. Potential false positives are deemed unlikely due to the specificity of the event being monitored. Overall, this rule aims to enhance endpoint security by identifying risks associated with unsigned code execution.