The detection rule 'Windows System File on Disk' is designed to identify unauthorized creation of .sys files on disk, which can be indicative of malicious activities, particularly related to kernel mode drivers. Leveraging the Endpoint.Filesystem data model, this rule captures instances where .sys files are written to the filesystem. Such activities may signal attempts to install rootkits or other malware that seeks kernel-level privileges, thus enabling attackers to bypass standard security measures and maintain persistent control over the system. To mitigate noise from legitimate system processes, the rule allows for filtering of common system directories from the search. This is crucial for distinguishing between benign activity and potential threats, thus helping analysts focus on the most significant alerts.