This detection rule identifies potentially malicious behavior involving the Linux gcc (GNU Compiler Collection) command. It highlights an unusual usage of the gcc binary when it is used to spawn an interactive system shell in a restricted environment. While gcc is primarily a compiler for C and C++ programs, this rule targets instances where gcc is misused to execute shell commands, consequently enhancing an attacker's access capabilities. This behavior deviates from normal system administration actions and indicates a possible security threat. The EQL query focuses on process events where a shell (sh, bash, or dash) is initiated by gcc with specific arguments indicative of malicious intent. The rule references MITRE ATT&CK techniques related to command execution, specifically targeting Unix shell commands. It is crucial for security monitoring teams to take note of this pattern as it often signifies an attempt to escape from confinement in a compromised system.