This detection rule by Elastic targets potentially malicious user account credential modification events in Linux systems. It specifically looks for instances where a user exploits the `echo` command to directly input a password into the `passwd` utility, a behavior commonly employed by malware post-infection to automate credential changes. The rule utilizes EQL (Event Query Language) to monitor processes on Linux that match the defined characteristics, such as executing a shell with the command line containing 'echo' and 'passwd'. Implementation of this rule requires data from Elastic Defend, which acts as an endpoint monitoring solution. The setup involves configuring the Elastic Agent through Fleet, ensuring proper monitoring of events on the host machine. This rule is categorized under low severity due to its specific targeting of automated credential manipulation, which falls under the MITRE ATT&CK framework's Account Manipulation technique (ID T1098) within the Persistence tactic (ID TA0003).