Detects the creation of Microsoft Management Console (MSC) files within the Windows System32 directory (and localized subfolders) to catch attempts that abuse Windows path parsing and potentially hijack execution flow. The rule ingests Sysmon EventID 11 FileCreate telemetry from EDR-enabled endpoints and matches MSC file creation paths such as C:\Windows\System32\*.msc and locale-specific subdirectories (de-DE, en-US, es-ES, fr-FR, it-IT, ja-JP, ko-KR, zh-CN, zh-TW). Because Windows paths with an embedded space (e.g., C:\Windows \System32) can be parsed differently by certain components, a malicious MSC file placed in a mock/space-separated path can execute in place of legitimate Windows MSC components. The search collects FileCreate events and includes metadata such as destination, creation time, process_path, process_guid, process_id, file_path, file_name, user, vendor_product, and action to enable investigation of potential persistence or privilege escalation attempts. The rule leverages Splunk CIM-normalized fields and endpoint data models to facilitate correlation with other Windows persistence techniques (e.g., T1218.014, T1548.002, T1574). Known false positives include legitimate installers or system maintenance tools that legitimately create MSC files in System32; these should be vetted, and trusted processes whitelisted to reduce noise. References point to related threat research on MSC-based abuse, and the rule’s drilldown options support investigating user/destination context and recent risk events. Overall, the rule targets endpoint telemetry to detect anomalous MSC file creation in a trusted Windows directory as a potential malicious action requiring analyst follow-up.