This detection rule identifies the usage of the PowerShell "Compress-Archive" cmdlet to compress files or folders into locations commonly exploited by adversaries for data exfiltration. Malicious actors may leverage compression techniques to efficiently package sensitive data before attempting to transfer it out of the environment. The rule triggers an alert when specific command line patterns associated with the Compress-Archive cmdlet are detected, particularly focusing on destination paths within the temporary directories (e.g., %TEMP%, Local Temp, and Windows Temp). These paths are frequently targeted by malware as they allow easy accessibility for subsequent data theft. The detection is aimed at parsing process creation logs from Windows systems to reveal potentially suspicious behaviors. It is categorized with a medium threat level, suggesting that while it may not always correlate with malintent, the patterns identified warrant further investigation.