Detects DLL side-loading of the Windows Bitdefender Submission Wizard by correlating Sysmon ImageLoad events (EventID 7). The rule triggers when a Bitdefender process—BDSubmit.exe, bdsw.exe, or a renamed BluetoothService.exe—is loaded and a log.dll DLL is subsequently loaded from a non-standard path. It excludes legitimate loads of log.dll from standard system folders (Program Files, Windows System32, SysWOW64). The detection uses ImageLoad data to correlate the loaded image, the loaded DLL (ImageLoaded), and related fields (OriginalFileName, dest, user, process paths) and aggregates results over time. The purpose is to identify potential DLL sideloading/hijacking of Bitdefender components. The rule assigns a risk context (RBA) indicating possible DLL sideloading activity and is intended for Splunk/Sysmon deployments, with mapping to endpoint data models. It references MITRE ATT&CK T1574 (DLL side-loading) and is labeled experimental. Implementation guidance covers enabling ImageLoad parsing in Sysmon and ensuring proper data-model alignment. Known false positives are mitigated by allowing legitimate BD installations that load log.dll from standard directories.