This Detection Rule targets the loading of drivers from suspicious paths on endpoints, utilizing Sysmon Event Code 6, which captures information about newly loaded drivers. The analytics specifically track drivers that are loaded outside of standard directories (like Windows System32 or DriverStore), which is atypical for legitimate drivers. Such deviations may flag attempts to load malicious drivers linked to rootkits, malware, or coin miners, such as XMRig, allowing potential kernel-level exploits or escalated permissions. The implementation requires Sysmon to be configured, with logs being ingested correctly, that can then alert security teams about potentially malicious driver usage that deviates from established norms.