This detection rule identifies potentially malicious use of the PowerShell Cmdlet 'Compress-Archive', which is frequently employed by attackers to compress sensitive files and folders prior to exfiltration. The rule is designed to monitor for instances where compressed files are directed to commonly abused temporary storage locations, such as Windows' Temp directory or user-specific AppData paths. By compressing these files, adversaries can efficiently package and transmit sensitive output while minimizing their network footprint. This behavior raises red flags, especially when executed in suspicious contexts, as it aligns with known cyber-attack methodologies that involve data collection and exfiltration. The rule leverages data sourced from Windows PowerShell activities to flag such operations, facilitating timely alerts and potential remediation efforts.