This detection rule focuses on identifying the creation of files without extensions in critical Windows directories, specifically within 'System32\Drivers' and 'syswow64\drivers'. The logic implemented here utilizes the Endpoint.Filesystem datamodel from Sysmon event logs, particularly looking for events that signify file creations (EventID 1) and changes (EventID 11). The presence of files in these directories lacking an extension can be particularly indicative of malware activities, such as those carried out by the destructive HermeticWiper, which is known to drop malicious components in these critical system paths. Such behavior could lead to severe system vulnerabilities, including data loss and inoperability due to potential boot sector wiping. The rule aggregates data based on file paths, user interactions, and timestamps to present a clear detection mechanism for analysts monitoring endpoint safety.