This rule is designed to detect data exfiltration attempts using the AWS Command Line Interface (CLI) on Windows systems, specifically through the use of the 's3 cp' command. Threat actors might exploit this command to copy data to S3-compatible storage services outside the controlled environment, thereby exfiltrating potentially sensitive or large volumes of data. The combination of flags such as --recursive, --region, and --endpoint-url suggests bulk data transfers that are non-standard and may indicate malicious activity. This detection relies on monitoring Sysmon events, particularly Event ID 1, which relates to processes being created. The rule tracks any invocation of the AWS CLI with the specified arguments, logging relevant metadata such as the time of the event, host, user account involved, and process details. By identifying these patterns, security teams can gain insight into potentially compromised systems and take necessary actions to mitigate data breaches.