This rule aims to detect potential malicious activity related to the exploitation of CVE-2021-40444 by monitoring instances where the `control.exe` process attempts to load `.cpl` or `.inf` files from writable directories. Such behavior is significant as it signals a possible exploitation attempt, which could give attackers unauthorized control over a system. The detection is built upon data collected from Endpoint Detection and Response (EDR) agents, specifically analyzing process execution details from the `Processes` node of the Endpoint data model. By querying logs for specific process names and inspecting their command-line arguments, this analytic can effectively identify suspicious file loading that aligns with known attack patterns. False positives are expected to be minimal due to the restrictive nature of loading from writable directories, allowing the team to focus on legitimate threats.