This detection rule identifies the unauthorized creation of the Process Monitor (procmon) driver by non-Sysinternals binaries. The rule focuses on monitoring file events on Windows systems, specifically looking for instances where a file with a target filename that relates to 'procmon' and ends with '.sys' is created. The detection mechanism employs selection criteria which captures potential malicious activities while filtering out legitimate executions of the Process Monitor itself (procmon.exe and procmon64.exe). The logic specified in the rule flags events that match the selection criteria but are not initiated by one of the official Process Monitor executables. It is intended to help security teams identify potential privilege escalation or persistence mechanisms that might be exploited by malicious actors using non-authentic drivers posing as legitimate software, thus enhancing endpoint security monitoring.