This rule identifies the usage of WinRar or 7z utilities to create encrypted files, an indication that adversaries may be compressing and encrypting data in preparation for exfiltration. Such activities typically occur in the later stages of an attack, where attackers aim to obfuscate the data being collected to evade detection. The rule analyzes various parameters, including process names and command-line arguments, to track the creation of encrypted archives. Investigation guidance is provided for examining the parent process tree, retrieving encrypted files, and checking for any associated alerts within a 48-hour timeframe of the event. Furthermore, the rule outlines steps to analyze false positives, particularly in the context of legitimate backup software usage, and suggests a series of incident response actions if the operations are found to be malicious. This rule applies across several data sources such as Windows event logs and endpoints, ensuring it captures all relevant instances of suspicious file encryption behavior.