This rule detects attempts to create files in world-writeable directories, which is a common method for attackers to execute lateral movement within a network. The rule specifically monitors for file creation events that occur through services typically associated with file transfers, such as SCP, SSH, FTP, SFTP, and Rsync, on Linux systems. By focusing on directories like /tmp, /var/tmp, /dev/shm, and user home directories, this rule highlights potentially malicious activity performed by non-root users (user.id != "0"). The rule employs the EQL (Event Query Language) to filter events from the logs indexed by the Elastic Stack, assessing whether the event’s action indicates file creation within specified parameters. A medium severity level has been assigned to this rule, with a risk score of 47 to reflect its importance in identifying potential lateral movement scenarios. This detection requires either the Elastic Defend integration or Auditbeat as data sources for effectiveness, making it crucial for the security posture of endpoint-operated environments.