This detection rule identifies suspicious process executions originating from common container or archive file types, such as ZIP, ISO, IMG, among others. The rule is based on data collated from Endpoint Detection and Response (EDR) agents and focuses primarily on process names and command-line executions. This behavior is notable due to its prevalence as a tactic employed by adversaries looking to execute scripts or bypass traditional security defenses. If an execution is confirmed to be malicious, it can potentially provide attackers with the means to execute arbitrary code, elevate their privileges, or maintain persistent access within the target environment. The rule utilizes event data, including Sysmon EventID 1 and Windows Event Log Security 4688, and integrates with the CrowdStrike data model for enhanced threat identification.