diff --git a/rules/windows/image_load/image_load_side_load_python.yml b/rules/windows/image_load/image_load_side_load_python.yml
new file mode 100644
index 00000000000..76af3a227ac
--- /dev/null
+++ b/rules/windows/image_load/image_load_side_load_python.yml
@@ -0,0 +1,43 @@
+title: Potential Python DLL SideLoading
+id: d36f7c12-14a3-4d48-b6b8-774b9c66f44d
+status: experimental
+description: Detects potential DLL sideloading of Python DLL files.
+references:
+    - https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/
+    - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/
+    - https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python
+author: Swachchhanda Shrawan Poudel
+date: 2024-10-06
+tags:
+    - attack.defense-evasion
+    - attack.t1574.002
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|endswith:
+            - '\python39.dll'
+            - '\python310.dll'
+            - '\python311.dll'
+            - '\python312.dll'
+    filter_main_default_install_paths:
+        - ImageLoaded|startswith:
+              - 'C:\Program Files\Python3'
+              - 'C:\Program Files (x86)\Python3'
+        - ImageLoaded|contains: '\AppData\Local\Programs\Python\Python3'
+    filter_optional_visual_studio:
+        ImageLoaded|startswith: 'C:\Program Files\Microsoft Visual Studio\'
+    filter_optional_cpython:
+        ImageLoaded|contains:
+            - '\cpython\externals\'
+            - '\cpython\PCbuild\'
+    filter_main_legit_signature_details:
+        Product: 'Python'
+        Signed: 'true'
+        Description: 'Python'
+        Company: 'Python Software Foundation'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+falsepositives:
+    - Legitimate software using Python DLLs
+level: medium