A user created an abnormal password-protected archive using an archive program
Collect data and stage it on an endpoint in the organization.
Check whether the command line executed is normal for the process and user performing it. Check whether the process that created the archive creates network connections as well. Check whether other users in the organization used the same process for password-protected archive file creation.