This detection rule identifies instances where legitimate applications are observed writing files to unusual, non-standard locations on a Windows system. Such behaviors are indicative of potential misuse by adversaries who may utilize Living off the Land Binaries (LOLBins) to drop or download malicious files. These actions are often aimed at evading traditional security measures by exploiting legitimate tools that are already present on the system. The rule focuses on monitoring specific applications known for legitimate purposes - such as 'cmd.exe', 'certutil.exe', and 'mshta.exe' - and matches their file write events to locations that are atypical for these applications. This includes folders like 'Temp', 'ProgramData', and 'Recycle.Bin', among others. By correlating these two sets of conditions, the rule aims to surface potentially malicious activity that might otherwise remain hidden from conventional detection strategies. The rule is currently classified as experimental, suggesting ongoing refinement and testing to minimize false positives and improve accuracy. Its applicability is particularly relevant in threat landscapes where attackers leverage normal system functionalities for malicious purposes, thus presenting a significant defense evasion tactic.