Detects creation of Windows theme files (.theme) in unusual locations by analyzing Sysmon EventID 11 (FileCreate) telemetry. The rule’s Splunk search narrows to filesystem events where file_path matches common user directories (Desktop, Documents, Downloads, Temp) and file_name equals "*.theme" with action "created". It aggregates by destination, creation time, and related process metadata to generate a risk-alert: Windows theme file creation in unusual location at {file_path} on {dest}. The associated RBA flags the destination as a risk object (score 20) and the theme file path as a potential threat object, highlighting potential abuse for remote code execution and NTLM coercion campaigns. The detection is anomaly-based and complements existing process/file telemetry by leveraging endpoint CIM-normalized data models and complete command-line data to map to the Endpoint data model. The rule includes drilldown queries to view per-user/per-host results and 7-day risk context, and provides a true-positive test dataset for validation. It explicitly cautions that legitimate IT operations or theme customization may trigger false positives and should be reviewed or allow-listed as needed. References include a Dark Reading article on Windows vulnerabilities, and the rule is tagged with MITRE techniques including T1187, T1557.001, and T1021.002.