This detection rule focuses on identifying the use of native command-line utilities that compress or archive data on endpoints, specifically aimed at preventing adversaries from obfuscating and exfiltrating sensitive information. Adversaries may utilize tools like `tar`, `gzip`, `bzip2`, or other compression commands to hide their activities during the collection and staging of data before exfiltration. The rule leverages the `get_endpoint_data` and `get_endpoint_data_unix` commands to gather endpoint data, then applies specified search terms for common archive and compression utilities. It excludes benign processes that are unlikely to indicate malicious intent, such as `find`, `wget`, and `curl`, through regex filtering. By analyzing the captured command-line arguments of processes, the rule flags instances of compression that could potentially align with malicious data staging activities. The underlying techniques and tactic references, such as T1074.001 and T1560, highlight its applicability within the context of data collection and staging.