This detection rule targets adversarial activity that involves staging data for exfiltration by utilizing file output commands in a compromised environment. It specifically looks for instances where commands are executed that redirect output to files—using operators like '>' or '>>'. This technique is often employed by threat actors to capture results from commands and save them locally before transferring sensitive information out of the environment. The rule is developed for Splunk and utilizes endpoint data, including PowerShell logs, to identify activities indicating potential data staging. The detection logic captures specific Windows Event IDs related to command executions that involve file redirection. The rule aligns with behaviors exhibited by various threat actors, including Lazarus and Mustang Panda, among others, and is associated with several malware groups including Clop and Conti.