Detects execution of WinRAR (Winrar.exe) or rar.exe on Windows endpoints from non-default installation directories. It uses endpoint process telemetry (Sysmon EventID 1, Windows Event Log 4688, and CrowdStrike ProcessRollup2) to identify process creations where the process_name is Winrar.exe or rar.exe and the process_path is not under the standard WinRAR installation directories (C:\Program Files\WinRAR or C:\Program Files (x86)\WinRAR). Triggering this rule may indicate attempts to archive collected data outside the default path for potential exfiltration. Analysts should review the executing process path and its parent process, and, if possible, inspect the archived data being created. The detection relies on a Splunk SPL query against the Endpoint.Processes data model, requiring ingestion of complete command lines and normalization via CIM. The rule emphasizes legitimate non-default installations as a possible false positive source and suggests adjusting filters if warranted. It provides drill-down options and risk-based alerting to aid investigation and response.