This detection rule focuses on identifying potential persistence mechanisms employed by malicious actors through the use of Microsoft Office files stored within the default startup folders. These startup folders allow specific document types to be automatically opened when Microsoft Office applications—such as Word or Excel—are launched. By placing files with specific extensions in these directories, attackers can ensure their malicious payloads execute without the user’s direct interaction. The rule examines file events for any Word or Excel files in the designated startup paths, particularly looking for specific file extensions associated with Word (.doc, .docm, .docx, .dot, .dotm, .rtf) and Excel (.xls, .xlsm, .xlsx, .xlt, .xltm) documents. It includes checks to rule out legitimate Office executions associated with the WINWORD or EXCEL process names. Any events meeting the criteria that do not stem from these primary processes will trigger an alert, indicating potential persistence via unauthorized file placement in startup folders.