This detection rule targets the execution of RAR utilities on Windows systems, specifically focusing on the actions associated with archiving data. Threat actors often use RAR for compressing sensitive information and exfiltrating it from compromised hosts. This rule leverages logs from Endpoint Detection and Response (EDR) agents, analyzing process names, GUIDs, and command-line arguments to identify potential malicious behaviors. The usage of parameters such as '-ep1', '-r', and others often associates with archiving operations that might be indicative of data exfiltration attempts. If RAR actions are flagged, it indicates a risk of unauthorized data transfer to command and control servers, threatening data confidentiality and integrity.