This detection rule targets the loading of drivers from unusual paths in a Windows environment, focusing on preventing potential privilege escalation by malicious actors. Adversaries may exploit vulnerabilities in software or the operating system itself to gain elevated privileges or execute malicious payloads. This rule employs Sysmon event logging to identify when a driver (typically with a .sys extension) is loaded outside of the standard directories—namely, Windows\System32\drivers, Windows\SysWOW64\drivers, Windows\INF, and Windows\System32\DriverStore. The logic for detection uses a regular expression to filter out expected paths, ensuring that it only flags potentially unauthorized driver loads for further investigation. The rule is linked to techniques T1543.003 and T1068 from the MITRE ATT&CK framework, which respectively relate to creating or modifying system processes via Windows services and exploiting vulnerabilities for privilege escalation. By monitoring these events, security teams can enhance their ability to identify potentially malicious activities and take appropriate preventive actions.