The 'Git Hook Child Process' detection rule identifies suspicious child processes spawned by Git hooks on Linux systems. Git hooks are scripts executed during Git events such as commits and pushes, which attackers may exploit to execute unauthorized commands while concealing their activities. This rule utilizes EQL (Event Query Language) to monitor process execution events linked to specific Git hook scripts. It highlights when typical Git processes spawn atypical child processes, minimizing false positives by excluding benign processes like 'git' and 'dirname'. The integration requires data from Elastic Defend and is suited for environments where threats target Git functionalities. It emphasizes the investigation of command arguments, parent-child relationships, and process paths associated with observed anomalies. Additionally, it mandates a proactive approach to security, recommending steps for remediation and isolation of affected systems in response to alerts. The rule holds a low-risk score and provides references for deeper understanding regarding the Git hook framework and MITRE ATT&CK techniques associated with persistence and execution tactics.