This rule detects when MsMpEng.exe creates or writes a file into the Windows System32 directory (C:\Windows\System32) by filtering Sysmon events (EventID 11 and EventID 15) for image MsMpEng.exe and TargetFilename paths under System32. Under normal operation, Microsoft Defender (MsMpEng) does not write kernel drivers at runtime, so this is a high‑risk activity that can indicate abuse such as a TOCTOU (time-of-check to time-of-use) race used in BlueHammer-style exploits to plant a driver payload with SYSTEM privileges. The rule captures a set of artifacts including Computer, Image, TargetFilename, EventID, and associated process/file metadata (hash, name, path, command line, GUID, PID, signature, user). It aggregates time information and emits a finding when a suspicious file is created under System32 by MsMpEng, which could precede driver loading, privilege escalation, or kernel-level manipulation.