This detection rule aims to identify instances where the Microsoft Support Diagnostic Tool (msdt.exe) is used to create files in directories that are typically considered suspicious. Such directories include the Desktop, the Startup folder, PerfLogs, ProgramData, and Users/Public. These locations are commonly leveraged by malicious actors to maintain persistence or execute further payloads, particularly exploiting known vulnerabilities like Follina (CVE-2022-30190). The rule employs file event logging, focusing on the process image name and the target filename to filter potential malicious file creation activities originating from msdt.exe. Any creation of files in these specified directories by this executable warrants further investigation due to its association with file creation patterns indicative of exploitation techniques. The high severity level indicates a significant risk linked with detected events, prompting immediate responses from security teams to mitigate any potential threats.