Detects Linux file creation in world-writable directories (e.g., /tmp, /var/tmp, /run, /dev/shm) by an unusual process. The alert flags attempts to stage payloads or backdoor content in writable locations, a common tactic for transient execution and lateral movement. It correlates process context (names and executables) with file-path activity to identify suspicious staging behavior on Linux endpoints. The rule leverages data from Elastic Defend, Endgame, and SentinelOne cloud funnel integrations and uses a Kuery-based query to join Linux host events (host.os.type: linux), file creation events, and process/file-path indicators. It includes exclusions to reduce false positives for legitimate maintenance and packaging tasks and maps to MITRE ATT&CK techniques related to defense evasion and file/permission handling (notably T1222.002: Linux and Mac File and Directory Permissions Modification).