Kernel Driver Loaded from Non-Standard Path — BYOVD Attack

Detects the loading of kernel drivers (.sys) from non-standard paths such as Temp, AppData, or ProgramData. The BYOVD (Bring Your Own Vulnerable Driver) technique enables escalation to kernel level and EDR evasion, particularly relevant given the landscape of critical Windows driver vulnerabilities documented in 2025.