This detection rule targets potentially malicious behavior associated with file downloads from domains ending in '.zip'. The rule identifies events where a file, suspected to have a dangerous extension, is downloaded from a .zip top-level domain (TLD). Specific extensions that may indicate a security threat, such as .bat, .exe, .vbs, and others, are monitored. This aims to capture attack techniques that utilize misleading domain names and file extensions to evade detection. For example, a legitimate file download from a suspicious site may trigger this rule if the file extension is included in the specified list, thereby prompting further investigation. The rule is specifically tuned for Windows environments, utilizing Sysmon generated logs related to file stream hashes, enhancing the ability to spot potential threats arising from this type of file download.