This detection rule identifies the writing of files from known remote access software to disk within the environment. It uses data collected from Endpoint Detection and Response (EDR) agents, particularly focusing on specific attributes such as file path, file name, and associated user information. Remote access tools, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer, are often leveraged by adversaries to maintain unauthorized access to systems. The detection mechanism is significant because if confirmed to be malicious, these activities could allow attackers to persist in the network, leading to potential data exfiltration, further exploitation of systems, or overall control over affected environments. The detection process employs Sysmon EventID 11 data and strategically analyzes filesystem interactions to flag pertinent incidents.