This detection rule is designed to monitor for unauthorized copying of binaries from the "/bin" directory on Unix-based systems, which may be indicative of an attacker's attempts to rename or relocate system utilities to avoid traditional security controls. Adversaries often utilize legitimate system binaries to conduct activities while attempting to evade security measures. Typical techniques employed include renaming these binaries or copying them to non-standard paths, thus disguising their malicious intent. This rule leverages data from endpoint detection and response (EDR) logs to identify instances where the 'cp' command is used to copy any file from the '/bin/' directory. When such events are detected, the rule provides details about the event, including the involved processes, timestamps, hostnames, and user accounts to facilitate investigation and response actions. It is particularly notable for its emphasis on tracking process activities that fall under defense evasion tactics, specifically system binary proxy execution and masquerading techniques.