This detection rule identifies anomalous usage of the 'sfc.exe' utility with the '-unblock' parameter on Windows systems, particularly focusing on Cisco Secure Endpoint environments. The 'sfc.exe' command is typically leveraged for Windows system file verification and restoration, and its integration with the '-unblock' flag allows users to remove blocking imposed by security software. This can be a legitimate action during troubleshooting; however, it may also indicate malicious behavior if exploited by attackers aiming to bypass security measures for executing previously blocked malicious payloads. The rule targets command-line instances where 'sfc.exe' is invoked with the '-unblock' flag, specifically filtering out legitimate system paths to reduce false positives. Essential data sources include Sysmon event logs, Windows Security event logs, and CrowdStrike process data. The use of such telemetry enables the rule to effectively identify potentially harmful command executions aiming to manipulate endpoint security controls.