This detection rule identifies potentially malicious usage of Windows command shell (CMD) output redirection to suspicious locations. By recognizing command-line arguments in which output is redirected using the ">" symbol into certain directories associated with user profiles or system temporary files, this rule aims to capture commands that could be used by attackers for reconnaissance or data exfiltration. Such behavior often involves redirecting output from benign commands like "hostname" or "dir" to hidden or atypical locations where attackers could access the data post-exfiltration. The rule utilizes a combination of image selection criteria and command line patterns to discern genuine malicious activity from regular administrative tasks. It is particularly focused on common directories tied to user profiles or temporary file storage, ensuring a focused but broad approach to potential exfiltration tactics. This rule is currently categorized as experimental and may produce false positives, particularly in environments where legitimate administrators use similar output redirection commands for diagnostics or logging purposes.