This detection rule identifies malicious remote file creation events, which may indicate lateral movement activity within an environment. It employs an EQL (Event Query Language) sequence to monitor file creation actions on hosts, specifically looking for processes commonly associated with remote file operations, such as System, scp, sshd, smbd, vsftpd, and sftp-server. The rule flags instances where file creation coincides with events categorized as malware or intrusion detection, thereby raising alerts for critical potential attacks. With a high-risk score of 99, this rule is pivotal for organizations aiming to bolster their endpoint security against lateral movement strategies employed by attackers. The rule is deprecated and requires a minimum stack version of 8.9.0 due to compatibility considerations. Consult the Elastic blog for more context on related remote desktop protocol threats.