This analytic rule detects the creation of files in the Windows %startup% folder, utilizing the Endpoint.Filesystem data model to identify file creation events in this directory. The %startup% folder is a known persistence mechanism for adversaries who aim to have their malicious code run automatically at system boot or user logon. When a file is created in this folder, it raises significant concern as it can yield unauthorized persistence on compromised systems, leading to further exploits and access to sensitive information. By monitoring this activity, organizations can detect early signs of potential attacks that utilize commonly exploited Windows features. The rule specifically analyzes event logs from Sysmon, looking for indications that a file was created within the designated folder, which could signify an adversary's effort to maintain access or deploy malware.