This detection rule identifies the installation of root certificates on Linux systems, which may be conducted by malicious actors to suppress security warnings when establishing connections to potentially compromised web servers or command and control servers (C2s). The rule specifically looks for process creation events where the image name corresponds to common commands used to update CA certificates, such as '/update-ca-certificates' and '/update-ca-trust'. By flagging these activities, the rule helps in the early detection of potentially obfuscated attacks, contributing to improved security posture by alerting administrators of suspicious changes in certificates that may indicate attempts to bypass security measures.