This detection rule identifies the creation of executable files that are masquerading under multiple extensions, a tactic often used by adversaries to evade defenses by disguising malicious files as benign documents or media. The rule leverages EQL (Event Query Language) to monitor Windows file creations and employs regex to match specific file patterns, emphasizing those that append executable extensions to common file types like .pdf, .jpg, etc. It also filters out legitimate processes to minimize false positives, focusing on suspicious activities that could indicate an attempt at defense evasion. The guidance provided outlines investigation steps and potential remediation actions, aimed at assisting analysts in assessing and responding to detected threats effectively.