This detection rule identifies a process creating `.lnk` files in unusual or suspicious locations on Windows systems, specifically in directories like `C:\Users*` or `*\Local\Temp\*`. The rule leverages data from the Endpoint data model, utilizing Sysmon events (EventID 11 for file creation and EventID 1 for processes) to track filesystem changes. This behavior is a known tactic associated with spear phishing attacks, where malicious actors create shortcuts (`.lnk` files) as a method of establishing persistence or executing malicious payloads. Recognizing this activity can be crucial for mitigating risks associated with potential malware infections or unauthorized access to systems.