This detection rule identifies instances where command-line utilities are executed as child processes of archive utilities, such as WinRAR or 7-Zip, on Windows systems. The analysis is performed by monitoring Windows Sysmon event logs, specifically EventCode 1 which flags process creation events. By leveraging a combination of parent and child process name matching, the rule captures potentially malicious activities associated with command line execution that could be exploited by threat actors. CVE-2023-38831 is associated, highlighting vulnerabilities that have been leveraged by APT groups like APT28, APT40, and others to execute commands via archive utilities, often used to package and launch malware. The Splunk query captures relevant data, filtering for specific executable names that are commonly exploited. Such activity is often indicative of malicious file execution, utilizing legitimate tools in an unconventional way to bypass security measures. The rule also references techniques such as command execution via script interpreters and user execution of malicious files which are prevalent methods in the cyber threat landscape.