This analytic detection rule targets Windows shell processes initiated by WinRAR, such as `cmd.exe`, `powershell.exe`, `certutil.exe`, `mshta.exe`, or `bitsadmin.exe`. Utilizing Sysmon EventID 1, Windows Security Logs, and CrowdStrike data, the rule highlights potentially malicious activities that exploit the WinRAR vulnerability (CVE-2023-38831). This CVE allows attackers to execute scripts from bogus ZIP archives, leading to serious security incidents including unauthorized access and data breaches. The rule captures parent-child process relationships to identify unusual process behavior indicative of exploitation attempts. Analysts must ensure proper log ingestion from EDR solutions and consider the context of flagged activities to discern between benign and malicious actions.