This rule detects anomalous usage of the 7-Zip utility (7z.exe), specifically when it is spawned from unexpected parent processes such as rundll32.exe or dllhost.exe. This behavior is flagged through telemetry collected from Endpoint Detection and Response (EDR) systems, focusing on process relationships to identify potential misuse in contexts such as data exfiltration. Executing 7-Zip in this manner may suggest an adversarial attempt to archive or exfiltrate data under the guise of legitimate utility usage. Given the significance of the threat, the detection aims to provide a proactive measure against unauthorized archiving of sensitive information, which can further compromise system security.