This detection rule is designed to identify potentially malicious file activity in a Windows environment by tracking unusual file writes, specifically dynamic link libraries (.dll) and Visual Basic scripts (.vbs). It is particularly important since threat actors often introduce these files into compromised systems to facilitate further exploits or operations, reminiscent of the tactics used by notable threat groups such as APT29, APT31, and many others. The rule leverages logs from Windows Event ID 4656 to locate these file types, indicating their creation or transfer to disk. It emphasizes activity patterns where the frequency of unique files written from a single process name is low, suggesting suspicious intent. The primary methodology involves using regex to filter relevant data and employing stats aggregation to reduce noise and highlight significant behaviors that deviate from normal operational metrics, thereby enhancing the detection capabilities against file-based threats.