This detection rule focuses on identifying instances where a Windows process is writing a .txt file to directories that have world writable permissions, a behavior often exploited by adversaries to manipulate system processes for malicious purposes. By leveraging data from Endpoint Detection and Response (EDR) agents, the rule specifically examines file creation events across various sensitive directories such as Windows Tasks, Temp, and others. These locations are commonly targeted by malware to execute payloads or persist within the environment. The rule is built on a Splunk search that consolidates event data about file creations and filters outcomes based on predefined risky directories, allowing security teams to monitor and respond to potentially harmful activities. Given the critical nature of the paths involved, this detection rule serves as an essential part of an endpoint security strategy.