This detection rule identifies the loading of the WinDivert driver, which is a user-mode capture/sniffing/modification/blocking/re-injection tool used primarily on Windows systems. It focuses specifically on detecting the presence of the WinDivert driver as well as its variants via string matching and hash checks. The rule can help security teams monitor potentially malicious activities that leverage the features of the WinDivert driver, typically used in network tapping or injection attacks. The detection criteria include checking for the driver file names as well as specific hash values associated with known legitimate or malicious versions of the driver. False positives may occur due to legitimate use of WinDivert in the environment. The rule has applications in threat hunting and monitoring suspicious activities related to network packet manipulation.