This analytic rule identifies potential malicious activity involving the Braodo stealer malware, which targets saved credentials, cookies, and password information from web browsers. Specifically, it monitors for the creation of files in temporary directories that are likely to contain this sensitive information. The detection mechanism leverages Sysmon Event ID 11 to capture events related to file creation in the temp folders, filtering specifically for file names that suggest they might hold credential information (e.g., files starting with "login", "pass", "cookie", or containing "master_key"). The goal is to assist security teams in quickly identifying unauthorized access risks and taking preventive measures before sensitive data is exfiltrated. Additionally, this rule provides drilldown searches and risk assessment messaging to allow thorough investigation of potential incidents.