This analytic detection rule identifies the loading of drivers from suspicious paths, which is commonly associated with malicious activities such as using cryptocurrency miners like xmrig. The detection utilizes Sysmon EventCode 6 to monitor instances where drivers (`*.sys` files) are loaded from directories outside the standard system paths. In legitimate scenarios, Windows drivers should reside in system directories such as `C:\WINDOWS\System32\drivers` or related subdirectories. Deviations from this norm can indicate potential threats including rootkits, privilege escalation, or unauthorized code execution at the kernel level. This rule is particularly relevant in maintaining endpoint security by flagging abnormal driver behavior accurately. The search query filters out well-known directories to highlight potential anomalies, thus helping in proactive threat mitigation efforts.