This detection rule identifies potential steganographic activities by monitoring the execution of commands that utilize the 'unzip' utility in a Linux environment. The specific focus is on analyzing the extraction of zip files that may be hidden within image files, such as JPEG or PNG formats. The rule inspects system call events (EXECVE) to determine if there is an attempt to unzip files where the target is an image file. It caters to the growing concern around data exfiltration and evasion techniques that malicious actors may employ to conceal zip files within common image formats. Such activities can signify deeper malicious intents, including unauthorized access to sensitive data. Given that the detection level is classified as low, it suggests that while these events may occur, they do not necessarily indicate a definitive security breach without further contextual analysis.