This anomaly rule detects when wermgr.exe creates an alternate data stream (ADS) in the Windows Temp directory, leveraging Sysmon EventID 15. The search filters for TargetFilename patterns related to the Temp path and wermgr.exe, then aggregates results by destination, device, file hash, file name/path, and process details to surface correlated activity over time. While wermgr.exe is typically tied to error reporting, RoguePlanet malware has been documented using ADS in the Temp folder to stage or execute code, making this pattern a notable indicator of credential or code execution abuse. The rule returns timing and contextual fields (first/last time, destination, file/process metadata) to support investigation and playbook automation. The analytic identity is RoguePlanet, with the MITRE technique T1564.004 (Inhibit or Hide Artifacts via Alternate Data Streams) as the underlying pattern. The rule supports alerting, investigation, and correlation with risk events and other detections as part of an endpoint security workflow.