This detection rule identifies the unauthorized creation or modification of files within sensitive directories on endpoint systems that may indicate malicious activity. It looks for actions captured by the Elastic security logging mechanisms, specifically targeting potential indicators of lateral movement through file handling methods commonly associated with remote service exploitation. By focusing on known sensitive paths such as system directories and user-specific application data, the rule helps to flag instances where files may be created or modified by non-system users and processes. A query written in Elastic's EQL (Event Query Language) syntax is used to filter logs based on specific criteria, including the nature of file actions, user permissions, and process names indicative of file transfers or manipulations via remote protocols like SSH or SMB. The rule is currently marked as deprecated, with a phase-out date established for April 2024, following new guidelines that prevent duplication in older stack versions.