This detection rule identifies when the System Informer driver is loaded on Windows systems by monitoring system events related to driver load activities. It specifically looks for loading events related to the `SystemInformer.sys` driver file, as well as checks against a predefined list of SHA256 hashes associated with known instances of this driver that are often used in privilege escalation attacks. The rule is particularly important as the System Informer tool, while useful for legitimate system administration tasks, can also be employed by malicious actors to gain unauthorized system access or escalate privileges. Given its dual-use nature, careful consideration must be given to operational environments where this rule is deployed. The detection strategy includes specifying the file path and SHA256 hash patterns to accurately filter out legitimate uses, while also being vigilant to potential misuse of the tool.