This anomaly rule flags network connections initiated by processes that are executing from suspicious Windows directories (e.g., Recycle Bin, Public, PerfLogs, systemprofile, Fonts, IME, Addins). Malware commonly runs from writable or unusual folders to reach external infrastructure for command-and-control, staging, or data exfiltration. The detection queries the Network_Traffic.All_Traffic data model using a tstats-based aggregation to identify connections where the source process image matches a set of suspicious paths (for example, patterns like *\$Recycle.Bin\*, *\Config\SystemProfile\*, *\PerfLogs\*, *\Users\Public\*, *\Windows\Fonts\*, *\Windows\IME\*, etc.). Results are grouped by dest/dest_ip/dest_port, src/src_ip/src_port, transport, protocol, and associated metadata such as app, user, and host, with a final normalization step to present clean results. The rule relies on endpoint telemetry from EDR agents that provide process GUID, process name, parent process, and full command-line arguments, with data mapped to the Endpoint CIM Processes node. It uses a dedicated filter (windows_network_connection_from_program_in_suspect_location_filter) to enforce the path-pattern criteria. The detection supports drilldowns to view per-user/destination details and can surface risk context via a related risk model. It is aligned with MITRE ATT&CK T1011 and can indicate potential C2, staging, or data exfiltration activity from a compromised host. False positives may occur when legitimate system utilities or security tooling operate from these folders; review and allow trusted processes as appropriate.