This detection rule identifies the unauthorized creation of a specific file, comadmin.dat, in the Windows system directory associated with Snake Malware. The rule utilizes Sysmon's EventID 11 to monitor file creation events in the Endpoint.Filesystem data model and specifically looks for the comadmin.dat file. The significance of detecting this file lies in its association with Snake Malware's installation, which involves deploying a malicious kernel driver and a custom DLL. The result of this could lead to privilege escalation and persistent access for an attacker. The detection leverages the Splunk environment and requires that the relevant data input is being correctly ingested from endpoints to effectively identify malicious activity.