This detection rule identifies abnormal egress internet connections triggered by SSH Daemon (SSHD) child processes on Linux systems. An attacker may compromise the SSHD by modifying shell configuration files or backdooring the daemon, aiming for unauthorized persistence and potentially exfiltrating sensitive data. The rule utilizes a sequence query in EQL to correlate legitimate SSHD process executions with potentially malicious outbound connections while excluding common benign processes and internal IP ranges. The focus is on identifying anomalous behavior that may suggest an established command-and-control (C2) communication channel in a compromised environment. Investigators are encouraged to analyze SSHD child process attributes and destination IPs while remaining vigilant against potential misidentifications arising from normal administrative activities or security tools that rely on similar networking behavior.