The Windows Admin Permission Discovery rule identifies suspicious activity by detecting the creation of a file named 'win.dat' in the root of the C Drive. Utilizing Sysmon EventID 11 and the Endpoint.Filesystem datamodel, this analytic is designed to recognize file drops that could be indicative of malware, specifically NjRAT. This malware can leverage such files to check for administrative access on compromised hosts. If this behavior is flagged, it suggests that the malware might have the ability to execute high-privilege actions, enticing risks of further compromise or persistence within the system. The search uses multiple conditions to filter down to relevant filesystem events, ensuring that only likely malicious activity is highlighted while minimizing false positives linked to legitimate administrative actions.