This detection rule targets the creation of RAR Self-Extracting (SFX) files by monitoring the Sysmon Event ID 11 logs, which track file creation events related to RAR SFX temporary files. The heuristic integrated into this detection analyzes specific markers that suggest the presence of both executable code and compressed RAR data within files, allowing it to flag activities that may indicate unauthorized or malicious file creation. This is particularly relevant in scenarios involving malware packaging or data exfiltration, as RAR SFX files can be used effectively to deliver payloads or covertly extract data. Although the implementation is straightforward, it is essential to filter legitimate occurrences, such as custom installers, to reduce false positives effectively. Additionally, the detection can initiate follow-up analyses through drilldown searches, fostering a deeper investigation into potential risks associated with flagged events.