This detection rule aims to identify instances of steganography where a zip file is appended to an image file, specifically focusing on common image formats such as JPEG and PNG. It utilizes audit subsystem logs on Linux systems to monitor for the execution of commands that attempt to combine a zip file with an image file. The critical detection logic is encapsulated in a command execution vector where the 'cat' command is used to concatenate files. A match occurs when the command targets an image file (ending with .jpg or .png) while a zip file (ending with .zip) is simultaneously involved. This rule supports forensics and security monitoring by helping to flag potentially obfuscated data storage methods that may be employed by malicious actors for defense evasion during various attack stages. With its low severity level, it is indicative of an anomaly rather than a direct attack. The rule is based on audit logs generated in the Linux environment, facilitating prompt insights into potentially harmful command behaviors that can be queued for further analysis or action.