This rule is designed to detect the loading of untrusted drivers on Windows systems, which could indicate a security compromise. The use of unsigned or self-signed code has been a common tactic employed by adversaries to bypass standard security measures, specifically the Windows Driver Signature Enforcement (DSE). DSE aims to block the execution of drivers that do not have valid signatures. The rule leverages the EQL query language to retrieve data where the driver’s code signature is marked as untrusted and the host’s operating system is Windows. The query also checks if the process responsible for loading the driver is the System process (PID 4), which is commonly involved in driver loading operations. Alerts generated by this rule highlight potential bypassing of driver signature checks, which can lead to malicious kernel-mode drivers being loaded onto the system, increasing the risk of further compromise. The investigative guidance provided outlines steps to analyze loaded drivers, check their signatures, and ascertain their paths to facilitate deeper investigation and possible remediation.