This analytic rule detects malicious activity related to the creation or dropping of executable or script files specifically in the root directory of removable drives. The underlying mechanism leverages events captured in the Sysmon EventID 11, which tracks file system changes, to identify specific file types associated with potential malware such as ransomwares. Since these types of files can be used for nefarious actions including spreading malware across systems, lateral movements, or establishing persistence within the environment, this rule serves as a critical defense layer. By focusing on file name patterns typical to executable or script files—and excluding instances from the C: drive—this analytics template helps to distinguish between normal administrative activities and potentially harmful behavior, thus enhancing organizational security posture against removable media threats.