This detection rule identifies potential adversary activities involving the copying of files within a Windows environment. It leverages data from EDR logs focusing on process creation events and captures instances where commands such as 'copy', 'xcopy', or 'robocopy' are executed. Adversaries may use these commands to locate and exfiltrate sensitive data from local systems or network shares. The detection logic employs a SQL-like query to filter process events from the CrowdStrike data source, specifically looking for file copy commands executed in the last two hours. This rule targets specific known threat actors, including APT29 and REvil, highlighting the use cases in which these techniques are typically leveraged during cyber-attacks. The detection is enhanced when PowerShell logging is enabled, which increases visibility into potential malicious use of scripting capabilities. This rule not only helps in identifying unauthorized data access or exfiltration attempts but also aids in monitoring suspicious command usage within the Windows operating environment.