This detection rule monitors the use of the `insmod` binary on Linux systems for loading kernel object files (typically with a `.ko` extension). The use of `insmod` by a user with root privileges can indicate malicious intent, as threat actors may abuse this command to introduce rootkits that allow unauthorized control over the system while evading detection from security solutions. The rule captures instances where `insmod` is executed outside of known, benign parent processes, making it a critical indicator of potential unwanted activities. The detection queries the process events, specifically looking for executions of `insmod` and will trigger if the conditions are met. Alongside the main detection, the rule provides a comprehensive investigation guide that details various analysis techniques and potential steps to differentiate between legitimate activity and threats. Key detection steps involve reviewing logs, investigating kernel module activity, and monitoring parent process trees to assess the context of the execution. False positive analysis encourages verification against benign activities, such as legitimate software updates or administrative maintenance to prevent unnecessary alerts during normal operations.