The detection rule aims to identify suspicious behavior on Linux systems where a Unix binary executes with read, write, and execute (RWX) memory region permissions, followed by establishing a network connection. The rule focuses on monitoring the use of the mprotect() system call, which alters memory protections. This syscall can signify potential exploitation attempts, as adversaries may change memory permissions to execute arbitrary code and subsequently initiate connections to external servers for data exfiltration or command-and-control communication. It is critical to analyze instances of RWX permissions in conjunction with outbound network activities as these could indicate malicious behavior. The required data for detection comes from multiple sources including logs from the endpoints and the auditd_manager integration. The rule leverages EQL (Event Query Language) to filter and aggregate events that meet the specified criteria.