Detects creation of data files within the Windows EFI volume by analyzing Sysmon FileCreate events (EventID 11) that match EFI Boot paths (e.g., C:\EFI\Boot\* with .dat files). This pattern can indicate attempts to bypass Secure Boot using vulnerable bootloaders to execute malicious system firmware code (e.g., CVE-2024-7344). The rule relies on EDR telemetry that includes process GUID, process name, and parent process, plus full command-line arguments, mapped to the CIM Endpoint data model (Files/Processes). When a matching EFI data file is observed, an alert is generated with a risk target on the host (dest) and the offending file_path, guiding analyst investigation. The detection is complemented by drilldown queries for user-driven or host-wide context. Known false positives include legitimate firmware updates or maintenance activities that temporarily write to the EFI volume; alerts should be reviewed carefully to differentiate benign activity from malicious boot alteration. References and analytic contexts are provided to aid triage and response (e.g., related BootKits and UEFI threats).