This rule detects the creation of suspicious .sys files on Windows systems, which may indicate an adversary exploiting a vulnerable driver for malicious purposes. This is a technique often referred to as Bring Your Own Vulnerable Driver (BYOVD). Attackers often deliver these drivers during the initial access phase or may transfer them later across compromised systems. The rule specifically captures events generated by Windows Sysmon for file creations, filtering events where the event code corresponds to 'file creation' and where the file name ends with the .sys extension. By aggregating these events, the rule assesses how often a particular .sys file is created and identifies any instances that may suggest an unusual pattern or a single host event, triggering alerts for potential malicious activity. The logic is implemented in Splunk, focusing on detection thresholds to minimize false positives while maintaining sensitivity to genuine threats.