This threat detection rule is designed to identify the manual execution of the `dracut` command on Linux systems, which can indicate potentially malicious activity. The `dracut` utility is utilized to create initramfs images necessary for booting Linux systems. Malicious users may exploit this command to generate custom initramfs images containing backdoors, thereby gaining persistence within the system. The rule employs an EQL (Event Query Language) query to pinpoint instances where the `dracut` process is initiated, with specific filters to exclude legitimate parent processes and scenarios. The overall goal is to prevent and respond to unauthorized access by detecting abnormal usage patterns of the program, thereby enhancing system security against threats that exploit the booting process.