This detection rule identifies instances of `mshta.exe` writing files to world-writable directories using Sysmon EventCode 11 logs. Such activity is indicative of attempts to establish persistence or execute malicious code, as `mshta.exe` is often misused in attacks to run scripts and commands. The rule specifically looks for write operations to several sensitive directories, including `C:\Windows\Tasks` and `C:\Windows\Temp`, which could lead to serious security risks if exploited by attackers. If malicious activity is confirmed, it could result in multi-stage payload executions, full system compromises, and unauthorized access to sensitive data. The analytic provides a framework for monitoring these critical activities and can be tailored to include other directories as needed. False positives should be cautiously identified to avoid misclassifying legitimate operations, recommending context-based investigations into each event.