This detection rule monitors for suspicious activities related to Microsoft Office applications on Windows systems, specifically focusing on instances where these applications (like Word or Excel) generate executable or script files (.exe, .dll, .ps1), which is atypical behavior for such applications. The detection uses the process creation and file system events captured by Sysmon, particularly leveraging Sysmon EventID 1 (Process Create) and EventID 11 (FileCreate). Dropping or creating these file types can be indicative of a compromised system, often through spear-phishing attacks that utilize malicious Office documents to execute code, potentially leading to privilege escalation or persistent access on the host. By implementing this detection, organizations can quickly identify and mitigate threats posed by the misuse of legitimate applications for malicious ends.