This detection rule aims to identify the creation of specific file types associated with Large Language Models (LLMs) within Windows environments. It focuses on monitoring file creation events for model types such as .gguf, .ggml, and safetensors, which are instrumental in decentralized AI activities. The rule highlights the risks linked to unauthorized AI usage, potential data exfiltration, and unapproved deployments by capturing suspicious file creation patterns that might signify shadow AI developments. By leveraging Sysmon Event ID 11, organizations can proactively monitor and respond to unauthorized AI infrastructure thereby reinforcing their security posture against emerging threats.