This detection rule identifies suspicious file creation events in the Public directory on Windows endpoints, targeting file types commonly associated with threats, specifically .dll, .exe, and .conf files. Given that threat actors often exploit the Public directory for its accessibility to evade detection, this rule is particularly focused on reducing the risk posed by such activities. The logic leverages Windows Sysmon data to filter for specific event IDs (EventCode=11) that correspond to file creation events, and applies regular expression matching to confirm that the filenames meet the specified criteria. The outputs are categorized and displayed in a structured table format, providing valuable contextual information such as timestamps, host names, and user activity related to the file creation events.