This detection rule identifies suspicious output redirection to local admin shares, which can be a tactic used by attackers to manipulate or exfiltrate data stealthily. Specifically, the rule looks for command-line activities that attempt to redirect output to either the local admin share (admin$), which could indicate the presence of malicious scripts or tools being employed in a system breach scenario. The detection is based on the command line containing output redirection symbols (e.g., '>') and referencing the local admin shares located on 127.0.0.1 or localhost. Since this behavior can also be benign in some cases, the rule has a high alert level considering the potential for abuse in targeted attacks. The rule is influenced by various advanced persistent threat (APT) groups and is designed to bolster defenses against such illicit activities.