This anomaly detects the creation of Windows XLL add-in files (.xll) in non-standard locations. XLL add-ins can be loaded by Excel via COM objects to execute code, making them a common technique for spreadsheet-based malware. The rule watches Sysmon EventID 11 file creation events for paths ending in .xll and excludes safe, known locations (Program Files\\Microsoft Office\\* and AppData\\Roaming\\Microsoft\\AddIns\\*). It surfaces events with contextual information: destination host, file creation time, and the creating process (path, GUID, PID), along with the file path and file name, user, and vendor product. The output supports alerting, forensics, and incident response by highlighting potentially malicious XLL placement and execution opportunities outside typical add-in workflows. Known false positives include legitimate Excel add-ins and administrative tools that drop XLLs in non-standard folders; review and allow-listed apps to reduce noise. The rule is designed to work with EDR data ingested into the Endpoint data model, normalized by Splunk CIM, and supports drilldowns by user/destination or risk events in dashboards.