title: Suspicious Driver Load from Temp description: Detects a driver load from a temporary directory author: Florian Roth logsource: product: windows service: sysmon detection: selection: EventID: 6 ImageLoaded: '*\Temp\\*' condition: selection falsepositives: - there is a relevant set of false positives depending on applications in the environment level: medium