This detection rule is designed to identify suspicious executions of the ZipExec tool, a Proof-of-Concept (POC) utility that can wrap executable binaries in a password-protected zip file. The detection focuses on process creation events where the command line contains specific parameters that suggest the use of ZipExec for potentially malicious purposes. The rule triggers on two main conditions: 1) the execution of ZipExec indicated by the presence of parameters signaling the use of .zip files and the user option, and 2) attempts to delete zip files made by ZipExec, which might hint at attempts to cover tracks after execution. The level of caution is set to medium due to the potential of legitimate use in some environments, but monitoring is still essential due to the tool's ability to evade traditional detection methods.