This hunting rule detects potential Splunk RCE activity via arbitrary file write to the Windows system root by abusing the local app creation endpoint on vulnerable Splunk Enterprise for Windows installations. It targets Windows deployments where Splunk is installed on a separate drive and a low-privilege user (lacking admin or power roles) can initiate creation of a new app, potentially allowing upload and execution of code due to insecure session storage. The rule focuses on Windows-specific endpoints and the internal _internal Splunk index to correlate events that indicate an unauthorized app creation sequence following a request to the vulnerable endpoint. Specifically, it watches for a request to /search/apps/local/_new immediately preceding an App Creation Message, captures the initiating user, and then aggregates app creation events within a 60-second window to determine if the user had sufficient privileges (admin_all_objects or edit_local_apps) to create apps. It then surfaces a message indicating either a legitimate app creation or a suspicious/failed attempt, aiding investigation of possible malicious file uploads or code execution. Included are references to advisories SVD-2024-1001 and SVD-2024-1003, CVEs CVE-2024-45731 and CVE-2024-45733, and MITRE ATT&CK technique T1210 (Exploitation for Privilege Escalation), aligning detections with known Splunk vulnerabilities. The rule uses the presence of AppManager events and the corresponding access logs to distinguish true positives from false positives, though it notes that false positives may occur since it cannot analyze the actual contents of the created app. It is designed for Splunk Enterprise, Splunk Enterprise Security, and Splunk Cloud with data sources flowing into the _internal index, and it relies on Windows-specific paths such as C:\Windows\System32 to flag system-root write attempts.