BYOVD: Kernel Driver Loaded from Non-Standard User Path

Detects the Bring Your Own Vulnerable Driver (BYOVD) attack by identifying kernel driver loads from paths accessible to unprivileged users. A technique documented in the Windows Privilege Escalation 2025 report for escalating to kernel level, disabling EDR including Falcon, and implanting rootkits. Legitimate OS drivers are never loaded from Temp, AppData, or Downloads.