This detection rule aims to identify the use of WinZip, a popular file compression and encryption utility, to potentially exfiltrate sensitive data. The rule focuses on process creation events where the command line arguments indicate that WinZip is being invoked, particularly with options that suggest either compression (-a) or setting a password for the compressed file (-s). It captures three selection patterns: one for typical WinZip execution, another for password-protected compression, and a third for other common flags indicating use. For this detection to trigger, all selected conditions must occur, highlighting instances when adversaries might attempt to secure collected data before exfiltration. The approach to monitoring relies heavily on command line arguments provided during process creation, making it relevant for Windows environments where unauthorized data handling may occur through such utilities.