This detection rule identifies instances where kernel modules loaded into the Windows operating system fail to meet the Windows Hardware Quality Labs (WHQL) signing requirements. WHQL provides a standard for verifying driver integrity and security, ensuring that only authentic and verified components are permitted to operate within the kernel space of the OS. By monitoring specific Event IDs (3082 and 3083), this rule successfully captures events related to kernel modules that lack proper signing, thereby indicating potential security risks such as privilege escalation or unauthorized access. In particular, the rule includes an optional filter for specific VMWare driver files which may commonly generate noise, thereby distinguishing genuine threats from benign events. Its high alert level reflects the serious implications of unsigned kernel modules, making it essential for maintaining system integrity and security. This rule is crucial for environments where driver verification is critical to guard against exploitations that could arise from improperly sourced kernel modules. Additionally, it emphasizes the importance of adhering to Microsoft’s application control guidelines, aiding organizations in maintaining secure systems by fostering compliance with established driver signing protocols.