This rule focuses on detecting the use of common data archiving tools (e.g., WinRAR, 7-Zip) that malicious actors might utilize to compress or encrypt data prior to exfiltration. Threat actors often use such tools to evade detection and obfuscate sensitive data. The rule leverages endpoint data to trigger alerts based on specific process names associated with various archiving utilities. The detection logic captures events tied to these tools, specifically looking at PowerShell invocation and associated event logs. It employs a regex filter to effectively identify relevant process names across multiple utilities, enabling monitoring of potential adversarial data manipulation and exfiltration activities. The rule is particularly relevant given its association with various well-known threat actor groups, including APT10, APT29, and DarkSide, highlighting its importance in the threat landscape.