This detection rule identifies instances where potentially malicious executable files are written to disk, thereby facilitating proactive threat detection. It specifically monitors for certain Windows event logs (Event ID 4656) that indicate file access attempts categorized under write or add access types, which can signify the creation or alteration of executable files on a system. The rule utilizes various file extensions commonly associated with executable and script files, including `.exe`, `.cmd`, `.bat`, and others, to filter and capture relevant events. It targets a wide range of threat actors and malware families known for utilizing executable files to compromise systems, including notorious groups like APT28 (Fancy Bear), APT29 (Cozy Bear), and various ransomware strains. By extracting and examining detailed information from these events—including host, user, event ID, file path, process name, and others—security operations can quickly identify suspicious activity associated with the filesystem, enabling timely incident response. This rule aligns with the MITRE ATT&CK technique T1105 for ingress tool transfer, highlighting the potential for attackers to transfer malicious tools or scripts into the environment.