This detection rule is designed to identify potential malicious activity involving ISO and zip files located in specific temporary folders on Windows operating systems. The premise behind this rule is that threat actors may employ social engineering tactics to lure users into opening these files, which can lead to code execution on the machine. The rule inspects file events occurring within two critical directories: \AppData\Local\Temp and \AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\, which are common targets for malicious file delivery. The detection is achieved by monitoring Windows event logs for specific Event IDs 4656 and 4663, which are related to file access and modifications. The logic utilizes Splunk's capabilities to extract and filter events pertaining to these file types, ensuring that only significant detections related to user execution of potentially harmful files are captured. Additionally, the rule emphasizes that proper auditing settings must be configured to log necessary details to facilitate detection. This rule is particularly relevant for organizations looking to mitigate the risk of malware infections caused by user-initiated file executions.