This detection rule monitors for potential memory dump activities targeting the Linux init process (PID 1) using the GDB (GNU Debugger) tool. Such activities signal possible credential dumping, wherein attackers exploit the GDB for secret extraction from privileged processes. Notably, tools like 'truffleproc' and 'bash-memory-dump' can facilitate these actions. The rule specifies criteria that trigger alerts when a process matching the conditions of using GDB on PID 1 is detected in the logs sourced from various integrations including Elastic Defend, CrowdStrike, and SentinelOne. It emphasizes the need for thorough investigation as such behavior should not occur during normal operations. The recommended triage involves verifying the legitimacy of the GDB invocation, assessing the user's permissions, and reviewing the surrounding context in server logs for related suspicious activities. The risk associated with this type of detection is classified as medium, with a risk score of 47. The rule contains mitigation strategies for false positives and remediation steps to respond to a detected incident effectively, thereby reinforcing the significance of protective measures against credential access affects on Linux endpoints.