This detection rule aims to identify anomalous file creations on Windows endpoints, specifically targeting file extensions commonly associated with the Mimikatz Crypto module. By monitoring the Sysmon EventID 11 data source within the Endpoint.Filesystem data model, the rule highlights file names such as '*.keyx.rsa.pvk', '*.pfx', and '*.der', which are often related to the export of cryptographic keys. The tactic of exporting these keys is associated with credential theft activities, making this detection crucial for maintaining the integrity and security of sensitive information. If such files are created, especially repeatedly within a short timespan, this may indicate potentially malicious behavior tied to attackers utilizing Mimikatz to exfiltrate sensitive cryptographic material, leading to unauthorized system access and further exploitation.