This detection rule focuses on monitoring the creation of new files with a '.evtx' extension located outside of standard and common directories in Windows. The '.evtx' files are event log files used by Windows to record system events, and their presence in uncommon locations may indicate potential security issues such as tampering to bypass standard logging mechanisms or unintended data exfiltration attempts aiming to reveal sensitive information. Notably, backup processes or legitimate administrative actions might also generate such files, which makes it crucial to differentiate between benign activities and potential threats. The detection relies on Sysmon monitoring configurations, specifically analyzing the target filenames for those that end with '.evtx' while systematically excluding commonly used paths. This rule aims to provide alerts to security teams for investigation whenever an '.evtx' file is created in an unexpected directory, thereby enhancing the overall security monitoring of Windows environments.