This analytic is designed to detect the use of Windows command-line copy utilities such as xcopy for collecting files, particularly from sensitive user directories. Threat actors commonly employ such commands to gather potentially confidential documents, indicating a malicious intent. The focus is on identifying recursive operations that target directories like Documents and Desktop, where personal or organizational files are frequently stored. The method used for detection involves monitoring Sysmon event ID 1 and Windows Event Log Security 4688, in addition to training data from EDR solutions like CrowdStrike. Collected files are often staged in locations like C:\ProgramData, and this behavior may precede data exfiltration attempts, lateral movement, or further compromises within the environment. By pinpointing these patterns, security teams can effectively differentiate between routine administrative actions and potentially nefarious activities. This analytic is vital for environments with sensitive data where file collection via legitimate utilities poses a risk.