This detection rule identifies instances where a driver file (.sys) is used as a command line parameter in a process execution, potentially indicating malicious activity such as exploitation of vulnerabilities or establishing persistence by adversaries. The rule specifically targets Windows event logs to find Event Code 4688, which logs process creation events, and scrutinizes the process command-line parameters for any occurrence of '.sys' files being executed. This behavior can be indicative of threat actors leveraging signed drivers to execute malicious code. The detection rule is relevant to known adversaries such as Bluebottle, Lancefly, and Lazarus, and is associated with notable malicious software, including Cuba and DirtyMoe. Techniques outlined include system binary proxy execution and exploitation for privilege escalation. These techniques and the targeted behavior align with attack patterns observed in advanced persistent threats (APTs). By monitoring these event codes and patterns, organizations can enhance their threat detection capabilities and respond to potential security incidents effectively.